Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
E84Ddy7gSh.exe

Overview

General Information

Sample name:E84Ddy7gSh.exe
renamed because original name is a hash value
Original sample name:7fce076ae6458c561dcb1e5cd6a1de47aa114d5758dc791f0a94402ac4a9f2ee.exe
Analysis ID:1567509
MD5:60e18d4606431a33c406c1ad21ddc4e2
SHA1:f8e773f104fcfd6df48ee21591ce8890fd8942c5
SHA256:7fce076ae6458c561dcb1e5cd6a1de47aa114d5758dc791f0a94402ac4a9f2ee
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • E84Ddy7gSh.exe (PID: 1544 cmdline: "C:\Users\user\Desktop\E84Ddy7gSh.exe" MD5: 60E18D4606431A33C406C1AD21DDC4E2)
    • WerFault.exe (PID: 5984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1072 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1080 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1132 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1140 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1176 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1204 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1080 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • yava_vd.exe (PID: 3520 cmdline: "C:\Users\user\AppData\Roaming\yava\yava_vd.exe" MD5: 60E18D4606431A33C406C1AD21DDC4E2)
      • WerFault.exe (PID: 7164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 740 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 728 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 760 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 1004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 972 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yava_vd.exe (PID: 6308 cmdline: "C:\Users\user\AppData\Roaming\yava\yava_vd.exe" MD5: 60E18D4606431A33C406C1AD21DDC4E2)
    • WerFault.exe (PID: 5004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6308 -s 524 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yava_vd.exe (PID: 2564 cmdline: "C:\Users\user\AppData\Roaming\yava\yava_vd.exe" MD5: 60E18D4606431A33C406C1AD21DDC4E2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["27.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yava_vd.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-D7NPY6", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "yava", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000002.2367559880.0000000002DDA000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1728:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2314536540.0000000002D07000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0xd80:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000010.00000002.4401266733.0000000002D07000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x12a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000015.00000002.2340121187.0000000002F6F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      Click to see the 87 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.3.yava_vd.exe.2fc0000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        16.3.yava_vd.exe.2fc0000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          16.3.yava_vd.exe.2fc0000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            16.3.yava_vd.exe.2fc0000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6aab8:$a1: Remcos restarted by watchdog!
            • 0x6b030:$a3: %02i:%02i:%02i:%03i
            16.3.yava_vd.exe.2fc0000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
            • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x64b7c:$str_b2: Executing file:
            • 0x65bfc:$str_b3: GetDirectListeningPort
            • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x65728:$str_b7: \update.vbs
            • 0x64ba4:$str_b9: Downloaded file:
            • 0x64b90:$str_b10: Downloading file:
            • 0x64c34:$str_b12: Failed to upload file:
            • 0x65bc4:$str_b13: StartForward
            • 0x65be4:$str_b14: StopForward
            • 0x65680:$str_b15: fso.DeleteFile "
            • 0x65614:$str_b16: On Error Resume Next
            • 0x656b0:$str_b17: fso.DeleteFolder "
            • 0x64c24:$str_b18: Uploaded file:
            • 0x64be4:$str_b19: Unable to delete:
            • 0x65648:$str_b20: while fso.FileExists("
            • 0x650c1:$str_c0: [Firefox StoredLogins not found]
            Click to see the 139 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\yava\yava_vd.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\E84Ddy7gSh.exe, ProcessId: 1544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-D7NPY6

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 7F EC 68 F4 FE 2C 5C 7B E9 2D A8 63 A2 B7 47 33 7A 2A 01 22 8D AB A5 91 D3 08 27 39 49 05 A9 35 0F AB EC 4C C5 7E 1A 6A 49 0D 2C 5C 1F 29 F2 98 BB B6 49 10 58 0C 15 0B 38 91 60 91 E5 3D BA EA C9 E0 AB 43 9A 5D 58 34 41 8E 4B B9 A2 12 21 83 4F BF 2E C2 9D 1B E8 49 0C 05 5D 6E F6 57 B4 33 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\yava\yava_vd.exe, ProcessId: 3520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-D7NPY6\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-03T16:28:34.929805+010020365941Malware Command and Control Activity Detected192.168.2.449734198.23.227.21232583TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-03T16:28:50.463184+010028033043Unknown Traffic192.168.2.449752178.237.33.5080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: E84Ddy7gSh.exeAvira: detected
            Found malware configuration
            Source: 00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["27.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yava_vd.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-D7NPY6", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "yava", "Keylog folder": "remcos"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeReversingLabs: Detection: 68%
            Multi AV Scanner detection for submitted file
            Source: E84Ddy7gSh.exeReversingLabs: Detection: 68%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340121187.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314578868.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: E84Ddy7gSh.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04853B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_04853B2F
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_004338C8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C73B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_02C73B2F
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,21_2_004338C8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E83B2F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,21_2_02E83B2F
            Source: E84Ddy7gSh.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTR

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00407538 _wcslen,CoGetObject,16_2_00407538
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00407538 _wcslen,CoGetObject,21_2_00407538
            Source: E84Ddy7gSh.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0483C589
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0482C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0482C5EF
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0482BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0482BDD2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04839DED FindFirstFileW,0_2_04839DED
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04829907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_04829907
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04828AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_04828AAE
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04827ADE FindFirstFileW,FindNextFileW,0_2_04827ADE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00407877 FindFirstFileW,FindNextFileW,16_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C4C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_02C4C5EF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_02C5C589
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C47ADE FindFirstFileW,FindNextFileW,16_2_02C47ADE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C48AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_02C48AAE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C49907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_02C49907
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C4BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_02C4BDD2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C59DED FindFirstFileW,16_2_02C59DED
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00407877 FindFirstFileW,FindNextFileW,21_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E5C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_02E5C5EF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_02E6C589
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E57ADE FindFirstFileW,FindNextFileW,21_2_02E57ADE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E58AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_02E58AAE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E59907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_02E59907
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E69DED FindFirstFileW,21_2_02E69DED
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E5BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_02E5BDD2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49734 -> 198.23.227.212:32583
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 27.212
            Source: global trafficTCP traffic: 192.168.2.4:49734 -> 198.23.227.212:32583
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 198.23.227.212 198.23.227.212
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49752 -> 178.237.33.50:80
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: yava_vd.exe, 00000010.00000003.2314673167.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000003.2314858832.0000000002DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
            Source: yava_vd.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp#
            Source: yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp&
            Source: E84Ddy7gSh.exe, 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, E84Ddy7gSh.exe, 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, E84Ddy7gSh.exe, 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yava_vd.exe, 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yava_vd.exe, 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yava_vd.exe, 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp7
            Source: yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=
            Source: yava_vd.exe, 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,16_2_004168FC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_004168FC
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340121187.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314578868.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041CA6D SystemParametersInfoW,0_2_0041CA6D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483CCD4 SystemParametersInfoW,0_2_0483CCD4
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483CCDA SystemParametersInfoW,0_2_0483CCDA
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041CA6D SystemParametersInfoW,16_2_0041CA6D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041CA73 SystemParametersInfoW,16_2_0041CA73
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5CCD4 SystemParametersInfoW,16_2_02C5CCD4
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5CCDA SystemParametersInfoW,16_2_02C5CCDA
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041CA6D SystemParametersInfoW,21_2_0041CA6D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041CA73 SystemParametersInfoW,21_2_0041CA73
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6CCD4 SystemParametersInfoW,21_2_02E6CCD4
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6CCDA SystemParametersInfoW,21_2_02E6CCDA

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000021.00000002.2367559880.0000000002DDA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.2314536540.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000010.00000002.4401266733.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000015.00000002.2340091843.0000000002F2A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0041D620
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04833574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,0_2_04833574
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483BE01 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0483BE01
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483BE2D OpenProcess,NtResumeProcess,CloseHandle,0_2_0483BE2D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483D887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0483D887
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,16_2_0041330D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,16_2_0041D620
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,16_2_0041BBC6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,16_2_0041BB9A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C53574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,16_2_02C53574
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5D887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,16_2_02C5D887
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5BE01 OpenProcess,NtSuspendProcess,CloseHandle,16_2_02C5BE01
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5BE2D OpenProcess,NtResumeProcess,CloseHandle,16_2_02C5BE2D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,21_2_0041330D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,21_2_0041D620
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,21_2_0041BBC6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,21_2_0041BB9A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E63574 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,21_2_02E63574
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6D887 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,21_2_02E6D887
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6BE2D OpenProcess,NtResumeProcess,CloseHandle,21_2_02E6BE2D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6BE01 OpenProcess,NtSuspendProcess,CloseHandle,21_2_02E6BE01
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04836A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_04836A5B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_004167EF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C56A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_02C56A5B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,21_2_004167EF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E66A5B ExitWindowsEx,LoadLibraryA,GetProcAddress,21_2_02E66A5B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043706A0_2_0043706A
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004140050_2_00414005
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043E11C0_2_0043E11C
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004541D90_2_004541D9
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004381E80_2_004381E8
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041F18B0_2_0041F18B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004462700_2_00446270
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043E34B0_2_0043E34B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004533AB0_2_004533AB
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0042742E0_2_0042742E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004375660_2_00437566
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043E5A80_2_0043E5A8
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004387F00_2_004387F0
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043797E0_2_0043797E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004339D70_2_004339D7
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0044DA490_2_0044DA49
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00427AD70_2_00427AD7
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041DBF30_2_0041DBF3
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00427C400_2_00427C40
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00437DB30_2_00437DB3
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00435EEB0_2_00435EEB
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043DEED0_2_0043DEED
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00426E9F0_2_00426E9F
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048664D70_2_048664D7
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0485E5B20_2_0485E5B2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048476950_2_04847695
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048736120_2_04873612
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048471060_2_04847106
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0485E1540_2_0485E154
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048572D10_2_048572D1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0485E3830_2_0485E383
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483F3F20_2_0483F3F2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04853C3E0_2_04853C3E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04847D3E0_2_04847D3E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04847EA70_2_04847EA7
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483DE5A0_2_0483DE5A
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0485E80F0_2_0485E80F
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04858A570_2_04858A57
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043706A16_2_0043706A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041400516_2_00414005
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043E11C16_2_0043E11C
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004541D916_2_004541D9
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004381E816_2_004381E8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041F18B16_2_0041F18B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0044627016_2_00446270
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043E34B16_2_0043E34B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004533AB16_2_004533AB
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0042742E16_2_0042742E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043756616_2_00437566
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043E5A816_2_0043E5A8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004387F016_2_004387F0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043797E16_2_0043797E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004339D716_2_004339D7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0044DA4916_2_0044DA49
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00427AD716_2_00427AD7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041DBF316_2_0041DBF3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00427C4016_2_00427C40
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00437DB316_2_00437DB3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00435EEB16_2_00435EEB
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043DEED16_2_0043DEED
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00426E9F16_2_00426E9F
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C772D116_2_02C772D1
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5F3F216_2_02C5F3F2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C7E38316_2_02C7E383
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C7E15416_2_02C7E154
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C6710616_2_02C67106
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C6769516_2_02C67695
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C9361216_2_02C93612
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C864D716_2_02C864D7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C7E5B216_2_02C7E5B2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C78A5716_2_02C78A57
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C7E80F16_2_02C7E80F
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C67EA716_2_02C67EA7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5DE5A16_2_02C5DE5A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C73C3E16_2_02C73C3E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C67D3E16_2_02C67D3E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043706A21_2_0043706A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041400521_2_00414005
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043E11C21_2_0043E11C
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004541D921_2_004541D9
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004381E821_2_004381E8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041F18B21_2_0041F18B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0044627021_2_00446270
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043E34B21_2_0043E34B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004533AB21_2_004533AB
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0042742E21_2_0042742E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043756621_2_00437566
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043E5A821_2_0043E5A8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004387F021_2_004387F0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043797E21_2_0043797E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004339D721_2_004339D7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0044DA4921_2_0044DA49
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00427AD721_2_00427AD7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041DBF321_2_0041DBF3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00427C4021_2_00427C40
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00437DB321_2_00437DB3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00435EEB21_2_00435EEB
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043DEED21_2_0043DEED
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00426E9F21_2_00426E9F
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E872D121_2_02E872D1
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6F3F221_2_02E6F3F2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E8E38321_2_02E8E383
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E8E15421_2_02E8E154
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E7710621_2_02E77106
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E7769521_2_02E77695
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02EA361221_2_02EA3612
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E964D721_2_02E964D7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E8E5B221_2_02E8E5B2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E88A5721_2_02E88A57
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E8E80F21_2_02E8E80F
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E77EA721_2_02E77EA7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6DE5A21_2_02E6DE5A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E83C3E21_2_02E83C3E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E77D3E21_2_02E77D3E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: String function: 048550D7 appears 45 times
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: String function: 00402093 appears 50 times
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: String function: 00434801 appears 41 times
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: String function: 04854A68 appears 41 times
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: String function: 00401E65 appears 35 times
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: String function: 00434E70 appears 54 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 0040417E appears 46 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00434801 appears 82 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00457AA8 appears 34 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 02E84A68 appears 41 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00445951 appears 56 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00402213 appears 38 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 004052FD appears 32 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00434E70 appears 108 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00401FAB appears 39 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 02C750D7 appears 45 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00411FA2 appears 32 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 02C74A68 appears 41 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00402093 appears 100 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 004020DF appears 40 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 004046F7 appears 34 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 00401E65 appears 69 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 0044854A appears 36 times
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: String function: 02E850D7 appears 45 times
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1072
            Source: E84Ddy7gSh.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000021.00000002.2367559880.0000000002DDA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.2314536540.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000010.00000002.4401266733.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000015.00000002.2340091843.0000000002F2A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: E84Ddy7gSh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: yava_vd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@21/72@1/2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04837BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_04837BF4
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_0041798D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C57BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_02C57BF4
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_0041798D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E67BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_02E67BF4
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeFile created: C:\Users\user\AppData\Roaming\yavaJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6308
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-D7NPY6
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3520
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1544
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4b9b3d54-a5f5-4a1b-80ae-189355b0f7a3Jump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Software\0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Rmc-D7NPY60_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Exe0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Exe0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Rmc-D7NPY60_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Inj0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Inj0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: 8SG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: exepath0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: 8SG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: exepath0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: licence0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: dMG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: PSG0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: Administrator0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: User0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: del0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: del0_2_0040EA00
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCommand line argument: del0_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Software\16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Rmc-D7NPY616_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Exe16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Exe16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Rmc-D7NPY616_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Inj16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Inj16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: 8SG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: exepath16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: 8SG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: exepath16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: licence16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: dMG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PSG16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Administrator16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: User16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: del16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: del16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: del16_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Software\21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Exe21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Inj21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Inj21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: 8SG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: exepath21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: 8SG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: exepath21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: licence21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: dMG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: PSG21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: Administrator21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: User21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: del21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: del21_2_0040EA00
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCommand line argument: del21_2_0040EA00
            Source: E84Ddy7gSh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: E84Ddy7gSh.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeFile read: C:\Users\user\Desktop\E84Ddy7gSh.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\E84Ddy7gSh.exe "C:\Users\user\Desktop\E84Ddy7gSh.exe"
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1072
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1080
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1132
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1140
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1176
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1204
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Users\user\AppData\Roaming\yava\yava_vd.exe "C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 972
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\yava\yava_vd.exe "C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 704
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 740
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 728
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6308 -s 524
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 796
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 804
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\yava\yava_vd.exe "C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 760
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 744
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 744
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Users\user\AppData\Roaming\yava\yava_vd.exe "C:\Users\user\AppData\Roaming\yava\yava_vd.exe" Jump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: winnsi.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeUnpacked PE file: 0.2.E84Ddy7gSh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.voguxu:W;.tls:W;.duhasid:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeUnpacked PE file: 16.2.yava_vd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.voguxu:W;.tls:W;.duhasid:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeUnpacked PE file: 21.2.yava_vd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.voguxu:W;.tls:W;.duhasid:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeUnpacked PE file: 33.2.yava_vd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.voguxu:W;.tls:W;.duhasid:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
            Source: E84Ddy7gSh.exeStatic PE information: section name: .voguxu
            Source: E84Ddy7gSh.exeStatic PE information: section name: .duhasid
            Source: yava_vd.exe.0.drStatic PE information: section name: .voguxu
            Source: yava_vd.exe.0.drStatic PE information: section name: .duhasid
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041C7F3 push eax; retf 0_2_0041C7FD
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_02D0B2B4 push FFFFFFF6h; retf 0_2_02D0B2B6
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_02D0C06E push 016C66B2h; iretd 0_2_02D0C0F1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_02D09781 push cs; ret 0_2_02D09784
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_02D0A84D push eax; retf 0_2_02D0A84F
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_02D0BF9E push 016C66B2h; iretd 0_2_02D0C0F1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0485511D push ecx; ret 0_2_04855130
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048773ED push ecx; ret 0_2_04877400
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04877D0F push eax; ret 0_2_04877D2D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483CA5A push eax; retf 0_2_0483CA64
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00457186 push ecx; ret 16_2_00457199
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041C7F3 push eax; retf 16_2_0041C7FD
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00457AA8 push eax; ret 16_2_00457AC6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00434EB6 push ecx; ret 16_2_00434EC9
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C973ED push ecx; ret 16_2_02C97400
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C7511D push ecx; ret 16_2_02C75130
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5CA5A push eax; retf 16_2_02C5CA64
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C97D0F push eax; ret 16_2_02C97D2D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02D0B7DC push FFFFFFF6h; retf 16_2_02D0B7DE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02D0C4C6 push 016C66B2h; iretd 16_2_02D0C619
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02D0C596 push 016C66B2h; iretd 16_2_02D0C619
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02D09CA9 push cs; ret 16_2_02D09CAC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02D0AD75 push eax; retf 16_2_02D0AD77
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00457186 push ecx; ret 21_2_00457199
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041C7F3 push eax; retf 21_2_0041C7FD
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00457AA8 push eax; ret 21_2_00457AC6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00434EB6 push ecx; ret 21_2_00434EC9
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02EA73ED push ecx; ret 21_2_02EA7400
            Source: E84Ddy7gSh.exeStatic PE information: section name: .text entropy: 7.936561536852126
            Source: yava_vd.exe.0.drStatic PE information: section name: .text entropy: 7.936561536852126
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeFile created: C:\Users\user\AppData\Roaming\yava\yava_vd.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-D7NPY6Jump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-D7NPY6Jump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-D7NPY6Jump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0482FA49 Sleep,ExitProcess,0_2_0482FA49
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040F7E2 Sleep,ExitProcess,16_2_0040F7E2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C4FA49 Sleep,ExitProcess,16_2_02C4FA49
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040F7E2 Sleep,ExitProcess,21_2_0040F7E2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E5FA49 Sleep,ExitProcess,21_2_02E5FA49
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0483AA40
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_0041A7D9
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_02C5AA40
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,21_2_0041A7D9
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,21_2_02E6AA40
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeWindow / User API: threadDelayed 9734
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeEvaded block: after key decisiongraph_0-85921
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeEvaded block: after key decisiongraph_0-85948
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeAPI coverage: 4.1 %
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeAPI coverage: 6.6 %
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeAPI coverage: 3.7 %
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exe TID: 6776Thread sleep count: 256 > 30
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exe TID: 6776Thread sleep time: -768000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exe TID: 6776Thread sleep count: 9734 > 30
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exe TID: 6776Thread sleep time: -29202000s >= -30000s
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0483C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0483C589
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0482C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0482C5EF
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0482BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0482BDD2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04839DED FindFirstFileW,0_2_04839DED
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04829907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_04829907
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04828AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_04828AAE
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04827ADE FindFirstFileW,FindNextFileW,0_2_04827ADE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00407877 FindFirstFileW,FindNextFileW,16_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C4C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_02C4C5EF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C5C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_02C5C589
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C47ADE FindFirstFileW,FindNextFileW,16_2_02C47ADE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C48AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_02C48AAE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C49907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_02C49907
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C4BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_02C4BDD2
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C59DED FindFirstFileW,16_2_02C59DED
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_0040928E
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_0041C322
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_0040C388
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_004096A0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_00408847
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00407877 FindFirstFileW,FindNextFileW,21_2_00407877
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00419B86
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040BD72
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E5C5EF FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,21_2_02E5C5EF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E6C589 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,21_2_02E6C589
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E57ADE FindFirstFileW,FindNextFileW,21_2_02E57ADE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E58AAE __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,21_2_02E58AAE
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E59907 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,21_2_02E59907
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E69DED FindFirstFileW,21_2_02E69DED
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E5BDD2 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_02E5BDD2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: yava_vd.exe, 00000010.00000003.2314858832.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401365489.0000000002DC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: yava_vd.exe, 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXm
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00402888 LdrInitializeThunk,0_2_00402888
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_02D0768B push dword ptr fs:[00000030h]0_2_02D0768B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048635BC mov eax, dword ptr fs:[00000030h]0_2_048635BC
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04820D90 mov eax, dword ptr fs:[00000030h]0_2_04820D90
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0482092B mov eax, dword ptr fs:[00000030h]0_2_0482092B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00443355 mov eax, dword ptr fs:[00000030h]16_2_00443355
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C835BC mov eax, dword ptr fs:[00000030h]16_2_02C835BC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C4092B mov eax, dword ptr fs:[00000030h]16_2_02C4092B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C40D90 mov eax, dword ptr fs:[00000030h]16_2_02C40D90
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02D07BB3 push dword ptr fs:[00000030h]16_2_02D07BB3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00443355 mov eax, dword ptr fs:[00000030h]21_2_00443355
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E935BC mov eax, dword ptr fs:[00000030h]21_2_02E935BC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E5092B mov eax, dword ptr fs:[00000030h]21_2_02E5092B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E50D90 mov eax, dword ptr fs:[00000030h]21_2_02E50D90
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02F2B033 push dword ptr fs:[00000030h]21_2_02F2B033
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_048552A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_048552A3
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_04854CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_04854CF1
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0485BDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0485BDD8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0043503C
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00434A8A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0043BB71
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_00434BD8 SetUnhandledExceptionFilter,16_2_00434BD8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C752A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_02C752A3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C74CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_02C74CF1
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 16_2_02C7BDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_02C7BDD8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_0043503C
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00434A8A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0043BB71
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_00434BD8 SetUnhandledExceptionFilter,21_2_00434BD8
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E852A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_02E852A3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E84CF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_02E84CF1
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: 21_2_02E8BDD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_02E8BDD8
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe16_2_00412132
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe21_2_00412132
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeProcess created: C:\Users\user\AppData\Roaming\yava\yava_vd.exe "C:\Users\user\AppData\Roaming\yava\yava_vd.exe" Jump to behavior
            Source: yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager!
            Source: yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_0045201B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_004520B6
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,0_2_00452393
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_00448484
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,0_2_004525C3
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,0_2_0044896D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoA,0_2_0040F90C
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_00451FD0
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,0_2_048725FA
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_048686EB
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_04872723
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_04872282
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_04872237
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: EnumSystemLocalesW,0_2_0487231D
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_04871FBF
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_048728F7
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,0_2_0487282A
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoW,0_2_04868BD4
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: GetLocaleInfoA,0_2_0482FB73
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoA,16_2_0040F90C
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_0045201B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_004520B6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_00452143
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,16_2_00452393
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_00448484
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_004524BC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,16_2_004525C3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_00452690
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,16_2_0044896D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_00451D58
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_00451FD0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_02C92282
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_02C92237
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_02C9231D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,16_2_02C886EB
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_02C92723
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,16_2_02C925FA
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,16_2_02C88BD4
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoA,16_2_02C4FB73
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_02C928F7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,16_2_02C9282A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_02C91FBF
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_0045201B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_004520B6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_00452143
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,21_2_00452393
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_00448484
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_004524BC
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,21_2_004525C3
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_00452690
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,21_2_0044896D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoA,21_2_0040F90C
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_00451D58
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_00451FD0
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_02EA2282
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_02EA2237
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_02EA231D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: EnumSystemLocalesW,21_2_02E986EB
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_02EA2723
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,21_2_02EA25FA
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,21_2_02E98BD4
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoA,21_2_02E5FB73
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_02EA28F7
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: GetLocaleInfoW,21_2_02EA282A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_02EA1FBF
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041A045 __EH_prolog,734B5D90,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,0_2_0041A045
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: 0_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0044942D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340121187.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314578868.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0040BA4D
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data21_2_0040BA4D
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: \key3.db0_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: \key3.db16_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\21_2_0040BB6B
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: \key3.db21_2_0040BB6B

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-D7NPY6Jump to behavior
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-D7NPY6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-D7NPY6
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-D7NPY6
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.2d20e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.4820e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.yava_vd.exe.2e50e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.yava_vd.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E84Ddy7gSh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.2.yava_vd.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 33.3.yava_vd.exe.3110000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.E84Ddy7gSh.exe.48a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.3.yava_vd.exe.4940000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.3.yava_vd.exe.2fc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340121187.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314578868.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E84Ddy7gSh.exe PID: 1544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 3520, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 6308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yava_vd.exe PID: 2564, type: MEMORYSTR
            Source: C:\Users\user\Desktop\E84Ddy7gSh.exeCode function: cmd.exe0_2_0040569A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: cmd.exe16_2_0040569A
            Source: C:\Users\user\AppData\Roaming\yava\yava_vd.exeCode function: cmd.exe21_2_0040569A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Bypass User Account Control            		3
            Obfuscated Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol111
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts2
            Service Execution            		11
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		12
            Software Packing            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Windows Service            		1
            DLL Side-Loading            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
            Process Injection            		1
            Bypass User Account Control            		LSA Secrets23
            System Information Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		Cached Domain Credentials141
            Security Software Discovery            		VNCGUI Input Capture12
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync2
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem2
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567509 Sample: E84Ddy7gSh.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 57 geoplugin.net 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 8 other signatures 2->73 8 E84Ddy7gSh.exe 1 4 2->8         started        12 yava_vd.exe 2->12         started        14 yava_vd.exe 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\...\yava_vd.exe, PE32 8->49 dropped 51 C:\Users\user\...\yava_vd.exe:Zone.Identifier, ASCII 8->51 dropped 75 Contains functionality to bypass UAC (CMSTPLUA) 8->75 77 Detected unpacking (changes PE section rights) 8->77 79 Detected Remcos RAT 8->79 81 6 other signatures 8->81 16 yava_vd.exe 8->16         started        20 WerFault.exe 16 8->20         started        23 WerFault.exe 16 8->23         started        27 6 other processes 8->27 25 WerFault.exe 12->25         started        signatures6 process7 dnsIp8 53 198.23.227.212, 32583, 49734 AS-COLOCROSSINGUS United States 16->53 55 geoplugin.net 178.237.33.50, 49752, 80 ATOM86-ASATOM86NL Netherlands 16->55 59 Multi AV Scanner detection for dropped file 16->59 61 Contains functionality to bypass UAC (CMSTPLUA) 16->61 63 Detected unpacking (changes PE section rights) 16->63 65 5 other signatures 16->65 29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        33 WerFault.exe 16->33         started        35 5 other processes 16->35 37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->45 dropped 47 3 other malicious files 27->47 dropped file9 signatures10 process11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            E84Ddy7gSh.exe68%ReversingLabsWin32.Rootkit.BootkitX
            E84Ddy7gSh.exe100%AviraTR/AD.Remcos.eaidn
            E84Ddy7gSh.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\yava\yava_vd.exe68%ReversingLabsWin32.Rootkit.BootkitX

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            27.2120%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
                		high
                27.212true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gp#yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://upx.sf.netAmcache.hve.3.drfalse
                    		high
                    http://geoplugin.net/json.gp7yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gp&yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/yava_vd.exe, 00000010.00000003.2314673167.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000003.2314858832.0000000002DB0000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gp/CE84Ddy7gSh.exe, 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, E84Ddy7gSh.exe, 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, E84Ddy7gSh.exe, 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yava_vd.exe, 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yava_vd.exe, 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yava_vd.exe, 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, yava_vd.exe, 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmpfalse
                            		high
                            http://geoplugin.net/json.gpSystem32yava_vd.exe, 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gp=yava_vd.exe, 00000010.00000003.2314673167.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, yava_vd.exe, 00000010.00000002.4401297367.0000000002D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                198.23.227.212
                                		unknownUnited States
                                		36352AS-COLOCROSSINGUStrue
                                178.237.33.50
                                		geoplugin.netNetherlands
                                		8455ATOM86-ASATOM86NLfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1567509
                                Start date and time:2024-12-03 16:26:53 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 11m 17s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:40
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:E84Ddy7gSh.exe
                                renamed because original name is a hash value
                                Original Sample Name:7fce076ae6458c561dcb1e5cd6a1de47aa114d5758dc791f0a94402ac4a9f2ee.exe
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@21/72@1/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 14
                                • Number of non-executed functions: 399
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): WerFault.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: E84Ddy7gSh.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:28:49API Interceptor2x Sleep call for process: WerFault.exe modified
                                10:29:09API Interceptor3820056x Sleep call for process: yava_vd.exe modified
                                15:28:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-D7NPY6 "C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
                                15:28:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-D7NPY6 "C:\Users\user\AppData\Roaming\yava\yava_vd.exe"

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                198.23.227.212advancePayment-pdf.exeGet hashmaliciousRemcosBrowse
                                  YESOHDKMIm.exeGet hashmaliciousRemcosBrowse
                                    NujUXO42Rg.exeGet hashmaliciousRemcosBrowse
                                      ZeaS4nUxg4.exeGet hashmaliciousRemcosBrowse
                                        documents-pdf.exeGet hashmaliciousRemcosBrowse
                                          1kZ9olJiaG.exeGet hashmaliciousRemcosBrowse
                                            ltlbVjClX9.exeGet hashmaliciousRemcosBrowse
                                              178.237.33.50z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                              • geoplugin.net/json.gp
                                              1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              geoplugin.netz49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                              • 178.237.33.50
                                              1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AS-COLOCROSSINGUSlxnFs9LHSe.exeGet hashmaliciousUnknownBrowse
                                              • 104.168.28.10
                                              z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                              • 192.210.150.26
                                              EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                              • 192.3.64.152
                                              a-r.m-6.SNOOPY.elfGet hashmaliciousGafgytBrowse
                                              • 192.3.179.33
                                              FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                              • 192.210.150.26
                                              INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                              • 104.168.7.16
                                              https://a.rs6.net/1/pc?ep=e4f2f4ad2c30fbb2SK2ZyQxbsE02cV3UOfuPD-JxSRgUD6Y86mFtUF3WRqjeuMrz9o3Xbb320wCTDsWWUHuFG0qWroCiniptiREBdHyyzdrPc45m6t-HBEB7SZ8gZX4dYr4o80JwDUJz1eSGQlrcb9as_P_3jZu-t-DrRTdQARm9vPjp5IAqdyzm4bLxpaVnP8_0eRiLoUggvzge&c=$%7bContact.encryptedContactId%7dGet hashmaliciousHTMLPhisherBrowse
                                              • 206.217.129.92
                                              seemebestgoodluckthings.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                              • 172.245.123.12
                                              PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                              • 172.245.123.12
                                              la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                              • 107.175.186.126
                                              ATOM86-ASATOM86NLz49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                              • 178.237.33.50
                                              1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_1351380b-7458-4d81-af17-0c3ef8a64010\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9515242074566659
                                              Encrypted:false
                                              SSDEEP:96:Sg8YcdsGhqdoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/opAnQPxVg7TFOy4tZrXOn7:Zcd26056rQjxPZrx4zuiFGZ24IO8fx
                                              MD5:1B543B87714F845D9A6F647D2E68C7DA
                                              SHA1:BC0099750B051B598CEE694420CA7B358A00F441
                                              SHA-256:99DE722FEAA88F076946A662A565D58959A797600D0FB1E30B436D7C6556A32B
                                              SHA-512:C3673D9930DA23B487C6B52BD19E2FCC3D9FF286479D6482CEA6A840D03EEC6CE0DB0F5348BC2931686B82C5DFC8BC4C06F871182747AE4605EEBB7E2039D2E0
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.0.0.9.1.3.9.4.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.5.1.3.8.0.b.-.7.4.5.8.-.4.d.8.1.-.a.f.1.7.-.0.c.3.e.f.8.a.6.4.0.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.d.4.1.4.6.4.-.6.d.a.f.-.4.4.1.8.-.9.5.d.c.-.7.2.2.7.7.b.1.b.4.a.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_54734a71-632f-4881-acec-6ff5ef723591\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.944534868670405
                                              Encrypted:false
                                              SSDEEP:96:bpoYcSsGhqdoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/opAnQPxVg7TFOy4tZrXOn5:3cS26056rQjxPZrxyzuiFGZ24IO8fx
                                              MD5:6F14A52C306377635BCDA8D5B5ADF071
                                              SHA1:5A55C3B8C05DA60A6900F7002CAB77F5C85BCD46
                                              SHA-256:D03428F46C32E964A85AF2D719BD38628872A7573FF28E754B89973B7E848758
                                              SHA-512:F61B81A4E05BB8D4D62B663AAD8F499C8FE25FAB349E8D0E5FD0A24F2FCCF8C16F879B6294BFAE6D6C6A9534C60AB0B61646BA8186AE45195CB78603A71E5E59
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.2.9.8.9.7.3.5.9.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.7.3.4.a.7.1.-.6.3.2.f.-.4.8.8.1.-.a.c.e.c.-.6.f.f.5.e.f.7.2.3.5.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.6.6.3.6.b.5.-.e.2.1.9.-.4.b.6.2.-.b.8.8.9.-.4.5.2.2.a.8.2.5.1.a.c.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_99c07b9b-5b66-44c6-8841-c0d1e0d06c12\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.951544202122989
                                              Encrypted:false
                                              SSDEEP:96:nXYc1HsGhqdoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/opAnQPxVg7TFOy4tZrXOn7:oct26056rQjxPZrx4zuiFGZ24IO8fx
                                              MD5:D47809F90DD913910F726C8F6D78556D
                                              SHA1:81250088E91B72C0A617E7562B8C96DA35AEBE5A
                                              SHA-256:12B4315D9293A3B497C14FD7B2D538CC4AE097BD4228C1A45CD1DD25B824FCA6
                                              SHA-512:9E08A5D438EB81B22D9C617FEA8FCEB0AAAEA8F3F417A31AAF5D1DBD8FE32D7BEF947E96B9D8E1DA08F83E2B12B3EDAF95A51A01561A2B5DD5671E80EF3E7193
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.0.2.7.2.8.3.5.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.c.0.7.b.9.b.-.5.b.6.6.-.4.4.c.6.-.8.8.4.1.-.c.0.d.1.e.0.d.0.6.c.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.4.c.1.8.a.1.-.b.3.2.2.-.4.2.1.7.-.8.a.3.c.-.3.b.7.1.2.8.0.9.5.6.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_bc10f416-227a-4d0b-adba-def6792398e4\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9444127976438875
                                              Encrypted:false
                                              SSDEEP:96:MzDcoWYcisGhqdoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/opAnQPxVg7TFOy4tZrh:PCci26056rQjxPZrxyzuiFhZ24IO8fx
                                              MD5:D46C46E1DA7134B52A102F275AE6DB24
                                              SHA1:C08CDD190CC0D0C0D26AAA5A57CCA2208CDE4C45
                                              SHA-256:19C6BED5D243689463EDB736D8911CEAC17ED544C3A007EC0178225407E11297
                                              SHA-512:B4FCB65BBD4ACBE7DE5F47DD6538368F91682223DF461650E173332744492AF4FA4E2D89363F366F8BB3DF24F662EB45D8E6634B9A2FC21483546D6F9E855642
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.2.9.6.8.6.3.7.2.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.1.0.f.4.1.6.-.2.2.7.a.-.4.d.0.b.-.a.d.b.a.-.d.e.f.6.7.9.2.3.9.8.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.3.7.e.1.b.1.-.b.5.f.9.-.4.9.c.5.-.8.1.2.8.-.d.5.e.6.0.c.2.a.c.5.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_cddedab1-4e7f-44c0-bc0a-61689b0c50b2\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):65536
                                              Entropy (8bit):0.9513634608408535
                                              Encrypted:false
                                              SSDEEP:96:FHYcosGhqdoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/opAnQPxVg7TFOy4tZrXOnmS:+co26056rQjxPZrx4zuiFGZ24IO8fx
                                              MD5:825546EC9B53E6DF0CDB9D6DF0B12F2E
                                              SHA1:1C7BD77C06BBEA6CAE49810C08CF51B2E89EAF55
                                              SHA-256:BFA9DE11111C84574658DF9710D72633661084D2A7EF55EA331E94C471FD6BE9
                                              SHA-512:51AE2B3059B6B6DB1D92DEA1D59427187AF3AFFF9BB7D1E8914FB217DCB694A62E24F180FC0E659BF482D6C25C54A0089E2A28F2DC11030E3A80B130BBFDCBCB
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.0.1.7.1.3.5.3.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.d.e.d.a.b.1.-.4.e.7.f.-.4.4.c.0.-.b.c.0.a.-.6.1.6.8.9.b.0.c.5.0.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.c.a.4.6.f.8.-.1.f.d.c.-.4.4.b.2.-.b.1.6.6.-.0.3.f.b.7.a.1.d.0.3.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_d199426c-ebd0-4321-ba3a-eba26822ba82\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9508365492510269
                                              Encrypted:false
                                              SSDEEP:192:pzHcX26056rQjxPZrx4zuiFGZ24IO8fx:N8X2B56rQj6zuiFGY4IO8fx
                                              MD5:4C827FFE6EB5E2EF5743BEA6869D3AA6
                                              SHA1:D538BE16A31F026980AA42095BE76C43ECE7E35D
                                              SHA-256:D57E52C79164D7C76946BE777D7E5001CB38A3430F8F376A1E6EBE9EDF617966
                                              SHA-512:BE3EAC1EC11FC1EBC8F62EF422F6A25DAAB089D89B8311AFA3D835F6E6172A64024D07B1DC2377F41E92838A28968732A532F04D730888B9C5E8E2A242767F93
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.0.4.0.9.4.4.5.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.9.9.4.2.6.c.-.e.b.d.0.-.4.3.2.1.-.b.a.3.a.-.e.b.a.2.6.8.2.2.b.a.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.d.2.c.4.0.2.-.c.1.0.3.-.4.a.d.8.-.9.b.6.d.-.7.d.c.5.f.1.0.d.3.5.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_3bbdd7b2631149a9c1d5348da92758aba99bb2c_4cca82d9_dd740563-c0b3-47e2-a234-12f5e5e12ae2\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9514666735502504
                                              Encrypted:false
                                              SSDEEP:192:WBz5cD26056rQjxPZrx4zuiFGZ24IO8fx:WoD2B56rQj6zuiFGY4IO8fx
                                              MD5:78F883E51B9FF59BEF31718E4673A675
                                              SHA1:BB59399A16BD75449BE75E4492EA4A906A3427F3
                                              SHA-256:0873B9D99F012A323008763B67D5EB749A5C01BA772A9C200D714CAC7D021520
                                              SHA-512:DD97F0D811518CCAD5AD2AD8F33B7E8AFAF599F93304026483755B9B167A72EA8967D772AB521996846A82AB4DE7F0C85934C38302309AB0E333DB3FF87F1993
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.2.9.9.6.8.3.1.5.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.7.4.0.5.6.3.-.c.0.b.3.-.4.7.e.2.-.a.2.3.4.-.1.2.f.5.e.5.e.1.2.a.e.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.5.9.d.f.7.5.-.6.7.0.6.-.4.0.e.2.-.b.3.e.9.-.d.e.f.a.3.7.5.b.8.b.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....B.o.o.t.I.d.=.4.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E84Ddy7gSh.exe_60a05b9c42c3b9b011b818ffe7e9fa69eb543b8b_4cca82d9_afe92a54-62ad-448b-91c2-f2420e68d374\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.0275233349976944
                                              Encrypted:false
                                              SSDEEP:192:Ioc/25e0ENeUjxPZrxBRdzuiFGZ24IO8fx:U/25FENeUjPzuiFGY4IO8fx
                                              MD5:9D07224CB1423F0D9A25AD47FC0D7A72
                                              SHA1:D0D9AF56BEF5F91AD84D1BE7B4D6DE1D4B19ABDF
                                              SHA-256:D605A5D348DFED04EAC6951DC1A75830EED00FCB415812FC5FC30344737D8F72
                                              SHA-512:4B3AC28CFA674A8845545581998D9B5B6B361B2CC7BDE8F3FD54CA28C562D90CC8F9594C7A6ECB055B70D4A819BD11991BF8D24B47B2A1160DC2D398F6818217
                                              Malicious:true
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.0.5.4.2.7.7.3.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.1.3.3.0.6.6.1.5.2.4.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.e.9.2.a.5.4.-.6.2.a.d.-.4.4.8.b.-.9.1.c.2.-.f.2.4.2.0.e.6.8.d.3.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.8.e.0.0.4.8.-.b.b.1.9.-.4.1.6.a.-.b.b.7.9.-.9.3.b.7.0.2.5.8.a.d.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.8.4.D.d.y.7.g.S.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.8.-.0.0.0.1.-.0.0.1.4.-.4.5.0.d.-.0.4.f.7.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.3.b.1.8.a.e.7.a.9.0.a.e.f.b.f.3.4.e.0.6.8.e.f.8.a.9.5.8.d.1.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.E.8.4.D.d.y.7.g.S.h...e.x.e.....T.a.r.g.e.t.A.p.p.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_694973ef58b9b1d13dd50cbc967377ff8c65dd8_24266d0a_67d2101f-045a-49a7-a4ce-c200f041e0b7\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.8801162019260602
                                              Encrypted:false
                                              SSDEEP:192:9p3g1ueZue0y8egsjTMZrQzuiFGZ24IO8S:0ueZuFylgsj/zuiFGY4IO8S
                                              MD5:6F85D9A16EF2367E5D9AD004425F9B25
                                              SHA1:9E0C8EBF49C5C438E2252D2598A177C8B8B319E1
                                              SHA-256:3675312DEC3162E2268C9F00FD44F3E3D83124A3F6D3C52409ED6A8A1B69C49E
                                              SHA-512:5AA9B33AD0FF349457D6E0ACBFC602EC2CCAD41B0D1C655973F6D1FABE84D443247A4CB7B1E6AD853C99C54213E96307A7EAAE51E9B04FCCEC4455C8B37A9700
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.6.5.9.0.4.5.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.7.1.2.1.7.1.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.d.2.1.0.1.f.-.0.4.5.a.-.4.9.a.7.-.a.4.c.e.-.c.2.0.0.f.0.4.1.e.0.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.9.b.e.c.4.c.-.9.5.1.9.-.4.0.0.9.-.a.a.b.2.-.a.3.3.4.e.e.9.e.5.4.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.4.-.0.0.0.1.-.0.0.1.4.-.e.c.b.f.-.4.2.0.1.9.8.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_0b9642d3-2314-4cb9-92d0-cb85c9e42be7\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9532316736597112
                                              Encrypted:false
                                              SSDEEP:96:kpV1Y4s3hqdoA7JfPQXIDcQnc6rCcEhcw3r7+HbHg/opAnQPxVg7TFOy4tZrXOni:u1vZ6056rQjxPZr3GzuiFGZ24IO8S
                                              MD5:F858409CD046C0AE8AC6ADABD24CA2CB
                                              SHA1:FD15A0624E432971A98D9878B2E7BFF45B2110B8
                                              SHA-256:D7CFBE0E01A0219FD4F4BAB02B12CBCD6726CC6582346114F712732DF116A813
                                              SHA-512:51B1CA6F05E313918CFAFEE9FDBA013512F82D91FDA42B8668FF376B11E51589DDF6B9CC7BBC61EBF27AC118009AE21DD5D166EF5DB5E97EB918B82105AA4EBD
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.2.1.7.0.3.9.3.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.9.6.4.2.d.3.-.2.3.1.4.-.4.c.b.9.-.9.2.d.0.-.c.b.8.5.c.9.e.4.2.b.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.6.4.7.4.5.7.-.6.3.7.a.-.4.5.d.7.-.a.c.f.2.-.7.7.9.0.4.9.e.d.9.6.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_5cb77c84-9740-4664-b3e5-b18f29e0cc7d\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):65536
                                              Entropy (8bit):0.9534282691660222
                                              Encrypted:false
                                              SSDEEP:96:oiuX1us3hqdoA7JfPQXIDcQnc6rCcEhcw3r7+HbHg/opAnQPxVg7TFOy4tZrXOni:ot1uZ6056rQjxPZr3GzuiFGZ24IO8S
                                              MD5:E520A5BA4042A0F5D5D35240917F4072
                                              SHA1:2587133E2FFFF7B229A185C6A1CC5C536CC1E773
                                              SHA-256:3E678E9DCE3B8AD221242E68BE3DB886BA5008A643C015FF06F070F983A72E4C
                                              SHA-512:648DFC6191B22DE5A847323CBCA88FB81EE642037DFE7221B49466E451EDEE9AAC362EF4591184027D3ADE7147B500A638A75D0BDC33702384D5FD08FAFE52C2
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.2.4.3.2.6.2.8.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.b.7.7.c.8.4.-.9.7.4.0.-.4.6.6.4.-.b.3.e.5.-.b.1.8.f.2.9.e.0.c.c.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.0.c.1.0.0.0.-.2.6.0.7.-.4.2.b.e.-.8.c.0.a.-.1.f.c.c.6.c.a.4.7.b.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_6009132a-da41-49ae-8e1a-01ae2214b039\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.8971323285090123
                                              Encrypted:false
                                              SSDEEP:96:Ztq1xs3hqdoA7JfPQXIDcQnc6rCcEhcw3r7+HbHg/opAnQPxVg7TFOy4tZrXOnmf:e1xZ6056rQjxPZr3CzuiFGZ24IO8S
                                              MD5:6889AC38014CE1E361007440476011F3
                                              SHA1:AC846015BBD083A3736A849057F0A4F7C5DCAB3C
                                              SHA-256:C3066EC40C4E42063B4EA6B46D2B71C6F46036BF83A62309E1B7019061371A38
                                              SHA-512:9ABFE37FC745EE4D418566CF500B22CCCE88152506309D706D7065B90CB4A595DB1C6899C59E3874DB1DD3FF325C9CAE0BD424C50A08D33727D6F7E10EE2DDCD
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.0.9.6.3.7.3.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.0.9.1.3.2.a.-.d.a.4.1.-.4.9.a.e.-.8.e.1.a.-.0.1.a.e.2.2.1.4.b.0.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.7.b.9.0.9.c.-.f.6.7.e.-.4.1.7.d.-.9.4.a.b.-.4.d.f.5.b.9.2.4.5.1.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_d38e2909-d631-43db-bdd3-6da9fd90e3aa\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9178904190232203
                                              Encrypted:false
                                              SSDEEP:96:IfbH1Ks3hqdoA7JfPQXIDcQnc6rCcEhcw3r7+HbHg/opAnQPxVg7TFOy4tZrXOna:uj1KZ6056rQjxPZr3uzuiFGZ24IO8S
                                              MD5:F7ABE5824C000D64CE737E792D481D10
                                              SHA1:CCC8D0CC91A583964533A0F669FD255518D8A21C
                                              SHA-256:063CDC7835E24B7104B993260F1E0734FA7D686EAA4DBC3A98C5EE6AE2B5DD96
                                              SHA-512:1DF30CCCC78BFDB67F281EE04D482CB06622E0B82C9375881551390A4FAE4A217DABC068FFB0E2E766E894E10E7FDF00C837CF470EA1EBB6FBF9B6746E2C068B
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.9.1.0.4.1.1.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.8.e.2.9.0.9.-.d.6.3.1.-.4.3.d.b.-.b.d.d.3.-.6.d.a.9.f.d.9.0.e.3.a.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.1.4.c.7.8.b.-.f.8.5.8.-.4.b.f.6.-.a.f.b.5.-.d.2.f.f.b.f.c.9.e.3.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_dc05c398-0638-475c-bcb2-e1a1ee6f34da\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9177299738256227
                                              Encrypted:false
                                              SSDEEP:192:CKQ11PZ6056rQjxPZr3uzuiFGZ24IO8S:2PZB56rQjazuiFGY4IO8S
                                              MD5:6B3115CAB8B0CFD5BB0DCD3BB66219C2
                                              SHA1:256CFF12ACAE35AE90828F083D3890DEA0B7036E
                                              SHA-256:F4B554AA0F45A357096D7D5608497A2D9497035D79CA0DEE20F36A9D6C730D11
                                              SHA-512:E90EEF42690038E3B05BECB4AFB09F70BDA997389731579553CF6069DA76DB9B5B94CDA7B927D0410D92508A79064D3615AD86734A714B26433D1D0B7AC61CA4
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.6.0.2.2.9.0.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.0.5.c.3.9.8.-.0.6.3.8.-.4.7.5.c.-.b.c.b.2.-.e.1.a.1.e.e.6.f.3.4.d.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.6.0.c.b.b.9.-.f.5.8.2.-.4.5.3.1.-.b.1.2.f.-.c.7.c.0.b.a.9.b.c.d.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_e7e0f08b-d378-4280-b57e-9ec63d87ffd1\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9529667716229318
                                              Encrypted:false
                                              SSDEEP:96:qzg1is3hqdoA7JfPQXIDcQnc6rCcEhcw3r7+HbHg/opAnQPxVg7TFOy4tZrXOnmL:z1iZ6056rQjxPZr3GzuiFGZ24IO8S
                                              MD5:8E624C502206133886F585967C0705F9
                                              SHA1:053A198C8E0577EA12B6DD2FD162557492E81408
                                              SHA-256:22227FE2533A48F0D2D1A2F31BA6A22AFE0FDDF70524E6181732F66C34F3A43E
                                              SHA-512:4F29D33086B0D297A7F57958D13DD3DB274F8E790193D2C518E2370B22E0B986DEA01A0E30B8261407EEE72CB836EDB676278C892610D8BAB79BC3A97E5459BC
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.2.0.1.6.0.0.7.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.e.0.f.0.8.b.-.d.3.7.8.-.4.2.8.0.-.b.5.7.e.-.9.e.c.6.3.d.8.7.f.f.d.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.f.0.4.0.c.a.-.b.2.1.0.-.4.6.a.1.-.b.3.f.7.-.c.9.1.f.1.9.9.c.a.e.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_6f219a76e5d1154d5faad29dbabe4df3f93d5d0_24266d0a_f6aa07c8-e3fd-4d3d-889a-b22b6501ce65\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9040944170456325
                                              Encrypted:false
                                              SSDEEP:96:VvL15s3hqdoA7JfPQXIDcQnc6rCcEhcw3r7+HbHg/opAnQPxVg7TFOy4tZrXOnmh:B15Z6056rQjxPZr31zuiFGZ24IO8SM
                                              MD5:828DAF8836DD8627366AF46B8583A9B9
                                              SHA1:1DC81B9181FB154DEDBE9CF339B142575056EF3B
                                              SHA-256:480A323950BABC847EAA4CF2D25B7C7E7DEB1B37DCD962FCAE0A791AC6C6684F
                                              SHA-512:3C43A7838AA00E28A714ACA540FCE624FD9A9893DBECCA1DA1AA0C32EE0354797EA44B5C96114EA80BE392F24FBC07477745E986BB551F968BF6D66D08D385EF
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.2.9.2.8.0.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.a.a.0.7.c.8.-.e.3.f.d.-.4.d.3.d.-.8.8.9.a.-.b.2.2.b.6.5.0.1.c.e.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.8.9.f.f.6.0.-.f.6.c.7.-.4.5.2.3.-.a.9.6.c.-.d.b.8.2.c.a.0.f.9.5.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yava_vd.exe_be2440385a84e4d277b8a58444cedd7ca1a85ac_24266d0a_8e36f406-a365-4618-9ab1-8e5880c3f776\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9179908769484036
                                              Encrypted:false
                                              SSDEEP:192:61pZq0JsAnbcA/jxPZr3uzuiFGZ24IO8S:upZxJsAnbcA/jazuiFGY4IO8S
                                              MD5:9E970799C80357765F47814FEE1FB742
                                              SHA1:88D97BCBB8654C724810AE33612BC780376C67CC
                                              SHA-256:036FA6820C901E1CCEF834334C81FE44E9446AEA32C7342C058907EE86C1E5BA
                                              SHA-512:773C7303AE23D4C47EAA01D6924DEF070CFFFC850C3E1D3BDADED0E72891F664A523E80508533B3509C0FB4B01516805458526BF5D4D70FA48321B374AE729C0
                                              Malicious:false
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.1.3.3.1.7.4.2.8.8.3.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.3.6.f.4.0.6.-.a.3.6.5.-.4.6.1.8.-.9.a.b.1.-.8.e.5.8.8.0.c.3.f.7.7.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.6.9.b.d.5.7.-.c.f.6.a.-.4.8.4.9.-.9.7.f.0.-.2.e.3.0.d.8.2.a.4.e.9.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a._.v.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.c.0.-.0.0.0.1.-.0.0.1.4.-.1.8.4.2.-.6.d.f.e.9.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.0.7.8.b.f.6.4.5.c.5.8.1.7.f.e.a.9.5.0.8.e.2.5.1.e.f.7.e.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.8.e.7.7.3.f.1.0.4.f.c.f.d.6.d.f.4.8.e.e.2.1.5.9.1.c.e.8.8.9.0.f.d.8.9.4.2.c.5.!.y.a.v.a._.v.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.3.:.1.4.:.5.0.:.4.9.!.0.!.y.a.v.a._.v.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1077.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:33 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):58096
                                              Entropy (8bit):2.114966870242625
                                              Encrypted:false
                                              SSDEEP:192:U6IyxOXw05FXNDsYrteODXw5jJg256OEKqioWsPL/H1Ym3cc72oWX2NizFGfP3:dIyxTuPDsYk5jJg25BoWsT/LcTPRA33
                                              MD5:1D283B97DA56BBB1335E0CFD38000483
                                              SHA1:775BBAA9730ED4392E68467D24F43353507412EA
                                              SHA-256:7423C9E39179CF63E905CBFC4248F3F10CD9E644E675CFC076200138FB532E7C
                                              SHA-512:E43EA20DD91D06D842B3C9A3C69546C89615EC44C0E382C78FB1AB86CE3CC0DA9141BA07E818C690CB7FB78F4655128C05BB3260C8B91BF603B0FD84A5D6094D
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og........................(...............02..........T.......8...........T...........X...............$...........................................................................................eJ..............GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER123E.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8348
                                              Entropy (8bit):3.700934100198333
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXo6HWT6YWW6sKoGgmfcLypBt89boFsfT4m:R6lXJY6S6Y/6dgmfcL/oefJ
                                              MD5:EF85561C76241B2C9E8ED5D5107AB148
                                              SHA1:7BFA06AEE29E9E47154746BFBDBD9BEC632D9FEF
                                              SHA-256:0D38F6692139D84BF8F1AA441E39CC74874A0B30549A908462AA4AC9BC1FE908
                                              SHA-512:FB6B6C9ED8A3DA6BAF0202D39EB42BFB96CD5AC731F17FAC038BD9906398C13B6E57E131C05156D7FEDD435132AC41064EA63424B8A297B65027B90A561F69AB
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER127D.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.476409157682252
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VY5Ym8M4JYs4FNE+q8fSbNHpN9d:uIjfCI7Nh7V9J4EhBpN9d
                                              MD5:8971038D7FE8CDFC9F0E98992CDC740B
                                              SHA1:778DB512C436A5974B0FB609CF8BE469570E3980
                                              SHA-256:1FB0110CC12BD0B90B1897862D154C767730B99155A900563284FBC5232062FF
                                              SHA-512:87269BF2DD4907C7393274F34B2BCED5D47C874BF68640813E891350AED516632E72AE167702F82684153C71350B19CF9EAF24F3784F331083A685A53D550898
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C7E.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:36 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):63298
                                              Entropy (8bit):2.0277410193244867
                                              Encrypted:false
                                              SSDEEP:192:lrRXGkXeZ9GCKcZODXw5n8sYQRirY/3XzOEKqnPTE1hhqcc7OYX+TQ3PrQI:l0Z9xYk5n8sYUiM/XJPKqcbYO0jQI
                                              MD5:BF786D40E5861447440FB62769D8B180
                                              SHA1:5A831CE91171FE8DE2C316B2A32FD6BCF5C1EF11
                                              SHA-256:0C919784676C29BE5828B1B5A2C10A393129721087E5AC5CA59C418DDE94B25B
                                              SHA-512:07DD7F20D34B6F5601C4A7CA21EC6DD986E2EB54E7428D8B27B3D38FD2410B5FCED60DDD621ACFA6BD5A0DA7B2BAFF291BC31FD03FB3AB638F30623AC4D29A09
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............$...............,...........>6..........T.......8...........T...........p...............,...........................................................................................eJ..............GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DB7.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8350
                                              Entropy (8bit):3.700628921268028
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXV6y6YWI6sKoGgmfcLypBa89bVFsf0qHm:R6lXJl6y6Yh6dgmfcLWVefW
                                              MD5:5A211256FB6F6453BED945F6DC34FDF5
                                              SHA1:4C533007F95C1E8CF5F86E00BBE4084EE51556F9
                                              SHA-256:94D0D0D0DC57DE1F317E56F4DC9BAE66C4C1DD55A8F630A0BD0EC1D8BE2FA7B2
                                              SHA-512:F538ABBA0BA6873227913E65787855B06D489D0C4B85056940667FEA8FAFB60CF5D6A018042B52796866D089F5F8EB8250E3570DB6AEFCB2B4788C02127755EF
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E54.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.4760905478282025
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VY4oYm8M4JYs4Fn+q8fSbNHpN9d:uIjfCI7Nh7VjFJ+hBpN9d
                                              MD5:E58C1D3B2B8BC3FF3E0A6D8234F3DDC3
                                              SHA1:6A6313E675D5493C4BD79C7C9D363675ADEC5777
                                              SHA-256:9AD4C19EA7D999662F2E1DC8A9029D45696C849EE1EBE29F7B916C83BA38006E
                                              SHA-512:2AF130054C586CFE68628FF86C737A3146EDFE7C5034F1BA6294B6CD897CB73BCB511EB70B0A82D36487C95F1450E975F8E3316DD9D12E74952BE38C30C3E36F
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F0E.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:36 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):24984
                                              Entropy (8bit):2.4303857704061462
                                              Encrypted:false
                                              SSDEEP:96:5g8oaxSX6us0UMLwXgnzAWYZj4tIXTzIpOi7oQnXa2cWwF4v86E+DfxOXUwiWIkF:loajp7XyTYcIXTMOOHXwHs5fCUaCEuu
                                              MD5:E570C39EBA47C404396E8AC98D9581B2
                                              SHA1:1C99788ABCBDD106031EC6A6B56BE20EA60F6A56
                                              SHA-256:F5653E1339D6162E79DA9CEAEBB06E73786DA825F2851AEDE54E365C7DE7A11E
                                              SHA-512:6591D158E88B4899FF240205446212F41489BC3B68FDDE6B1A221CFEBCA169674AB06C359CDBA9923168411D4F2B9F063C62DC6D84CB45F0758F348157B8954E
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............4...........x...<.......d....$..........T.......8...........T................J......................................................................................................eJ......8.......GenuineIntel............T............#Og............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FAB.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8308
                                              Entropy (8bit):3.692206965313147
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJW8656Y9iSUIygmfla+wypDN89bVBMnsfuHm:R6lXJt656Y4SUIygmflmlVBMsf/
                                              MD5:7565B38F6C7C654CDF908F19131F9B46
                                              SHA1:C40F8A201260A174B66710DAEFA781DB1630B9E5
                                              SHA-256:2D820C6F2EAB5D9FEDF48EC22C67AA1F2848D163DC60C3A92ED07AF378763510
                                              SHA-512:2FAC0702172DBD77F7D84552886D3786BD17D5F492B8F80BA73FB1E5F8C70508D0888863C32D9FDA90F69ABB15481FB6C45EFE4A44356B70BFA68F92A6BA24E3
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.0.8.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FCB.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4558
                                              Entropy (8bit):4.432555879632186
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYAYm8M4JYsNjFR+q8fYPwWNHpRd:uIjfCI7Nh7V0J52WBpRd
                                              MD5:97E1B0D6F838BD15A9BF28F1A6CF6AFE
                                              SHA1:3BD45B8F61403840B8416FEFB8E9219284B1521F
                                              SHA-256:66A7F8EB12801E2AF33D7508EA812D18CDC596036A71274BFF45CF8671F61358
                                              SHA-512:257DEE11D882A817B363BABB35CA1A08F4AA17CFE0103C8FF58ACD8D0E0BD3EB56C282F88E462496B085A54B8CED71BD19F43040868589E04A466085C1DC813C
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER220B.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:38 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):68990
                                              Entropy (8bit):1.970753497098745
                                              Encrypted:false
                                              SSDEEP:384:/eyivQdO9INk5jJpS3sAw0BXP2qcEeT6IAo:/2IA9Ck5dUvw0FjoV5
                                              MD5:6C9A52E9D97D467CF193E8C02ABF14C4
                                              SHA1:9C7599E8888465F069275697D4F47C0FE9FEC63D
                                              SHA-256:4FBD6DE3193C5DEB375BA378858818BA93F6920E96648C8C21B8C8345978B889
                                              SHA-512:54B9F7349D7BBB877F10AD944416E813849F041232980126D518EE28AA80F5985264137B9D19774117073BBBB425A4248615B17428772438827BE533E2A13B33
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............T...............\...........:9..........T.......8...........T...........................\...........H...............................................................................eJ..............GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2597.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8350
                                              Entropy (8bit):3.7013879889843717
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJX46L6YWw6sKoGgmfMaAjAaypB089brFsfs5m:R6lXJI6L6Yp6dgmfMaAjAaUref/
                                              MD5:1F07C850B989453B8F9BB83A7B51116C
                                              SHA1:2A717A799F2E8E2403095B15828BDDC3C47CC879
                                              SHA-256:DD66552CAEB5A51385B1ACC9829F5B34A75A2D45283EABE2C605142723450FDD
                                              SHA-512:3609410CA85436F2725B52B426F344A7CD32D7B58008DE7566DC13C8BEEF3697BAF94E35D62F37327BE264DEABB78225B3BDB60350097C8612243CED8574183C
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER25F5.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.473712296742772
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYcYm8M4JYsQFk+q8fqbNHpN9d:uIjfCI7Nh7VAJJ5BpN9d
                                              MD5:2D83F59E63651AC698C59BB840F6AC03
                                              SHA1:BA45CEEE517566EFF5D1D4E875CE10A42C69E5BE
                                              SHA-256:75286D1C716E9CEC168155F2854F3E94802F038F54C8ACAF583B2B3229461137
                                              SHA-512:9C563B37CBB9C6EC288F353F90AA1AE30FD9A3D0911D6DFF07AD77EC65E58954FAC28131D74E4290363FA5498851EAF1102CA2D861A1FA201ADB7F8D89A2849D
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2893.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:39 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):63396
                                              Entropy (8bit):2.0292292939068344
                                              Encrypted:false
                                              SSDEEP:192:2hRXGkXeZ93mODXw5X8X3OEKqD9psTVNypPTERhhqcc7raXnNQ3PrXE2:C0Z9hk5X8X9PsZNypP2qcCa3ujXE2
                                              MD5:8445EEFD1F4C92C4452AD8C84D462B7A
                                              SHA1:D405F4A6B4EB78B03DC145CDE3A303A69A2AD03F
                                              SHA-256:C0F28B40A98EE60D6BB3342C86237F823F6DF18F0AE4A0F81FF65E276F5BB0FF
                                              SHA-512:D8FBDD88F5ABD31847723B0A7524B1A71B2DC8B2BCBB09DF170E41F6514D8E367EB05E6D0129411D5A33940943A1BF0411175A171723D580E9C5226D16B8EE3D
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............$...............,...........>6..........T.......8...........T...........................,...........................................................................................eJ..............GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2911.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8350
                                              Entropy (8bit):3.700301505539002
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXj6c6YWF6sKoGgmfcLypBT89biFsfT+2m:R6lXJz6c6Ys6dgmfcLxiefTW
                                              MD5:54220628EE6CB69BC62642BA0E5B40A8
                                              SHA1:1566642A331169345327D5F9A3DE56F3CBC41467
                                              SHA-256:C8C5A4B02F2C876B56AAF38776B2F5526A425E52EE39589DD458547302179F5B
                                              SHA-512:84609C0690CA00B2E85C2635485445C81FF0F6282FBDBCCBBCA62C2E8034A180BF6A311312522454EB4A00B6FA3A1887AB606472E6BD728F114CB424E9BC732D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2941.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.477929969485828
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYWYm8M4JYs4FD+q8fSbNHpN9d:uIjfCI7Nh7V2JmhBpN9d
                                              MD5:E4B7566806796F8996877D91DEA54E00
                                              SHA1:CCB797D9C23434D5C698F3905B7743B5CC31DA90
                                              SHA-256:36E03E92B0DC0411E967C0BACA615218EA2CCAC5180C1CDA8F2789219A2A969E
                                              SHA-512:37A75986645221630EB2EF246E9F6B0E5E86EACD92DD2D174E8C958FC443749DC73A95B0EA076CE6524B352E1DBF768B5F972B166443B4FE7FD35E3D08D3F23B
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CBA.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:40 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):83370
                                              Entropy (8bit):2.1071481449307345
                                              Encrypted:false
                                              SSDEEP:384:doi0a0IBk5HIXsKSX4Sfb+EARYKzDP2P4qceTt4Fkb:do1jIBk5HIXnSj+Eivzy1Zikb
                                              MD5:9898764388311E1E84420B61CF6FB4DC
                                              SHA1:0427CB2AC71C48D3992FF2B767BA79B6DF1785E8
                                              SHA-256:69A1FA0261A7A84661B5E033DDC918FED5BB14711DBB353B3FFAF8C10A65F9C4
                                              SHA-512:CA66EE54E4FEF539691596C411A96CD700AAE7AB5B863DFEAD305D03B6A17F101A3BC7150497E7D6894452F93DAD4A5672AC850FC6462932361D08175D3F9786
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................>..........T.......8...........T............%... ......................................................................................................eJ......, ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3007.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8350
                                              Entropy (8bit):3.702025012369004
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXS68X6YWU6sKoGgmfcLypBM89bdFsfn/m:R6lXJi68X6YN6dgmfcLMdef+
                                              MD5:7BC623D43D0DF1655D06653928A319ED
                                              SHA1:DD503E65DA4566DBDF38B86485802F223C9A0DAE
                                              SHA-256:8A8D5455EC608A5BD900CF82FCAF2AFFEDB54F8B94FF926E911BE549B6319144
                                              SHA-512:2DBCC1DDCDA634D996DA3360E6EF7CF62F9E8108ECA66C534FBBE3824BC3586D3A603B9998C61BF2AA385B3BCDA73EEAE93064A9A04A73A9C5E76DDE5C6A557F
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3046.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.473657205653749
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYYPYm8M4JYs4FDDEI+q8fSbNHpN9d:uIjfCI7Nh7VLSJQhBpN9d
                                              MD5:FEE0B0827B512D2EBC397F4299AF1B3D
                                              SHA1:48EF60A6BCF7B869E9D127264BADFD8D08FBD98F
                                              SHA-256:5C603F86ACED4030AE9ABD4316EEFB91EC43C8EDD7E023C083E2386D328AC077
                                              SHA-512:B8422037FB9B1F2BC7F12470F293D2EB05DBED4F82B37350AB716D609017B5B803F684F34AB9978AE4DF2E3324F4E94BCD04982154548C0791C40C8097C03B92
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER32D4.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:41 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):83514
                                              Entropy (8bit):2.14288799902023
                                              Encrypted:false
                                              SSDEEP:384:Dj/0a0CSk5n9t4jSfpstygA9YuzaP2P4qc0wJv/5e:Djcj9k5n9t4jSRMFCTzb1ws
                                              MD5:A912267542337095891E65D7ED647194
                                              SHA1:3A528D1907BA85CE56ED18D66290686ADB759384
                                              SHA-256:B5290C1A924BF491FE855194493364F3A17C3591FF7E3CC11CDD408739B0480C
                                              SHA-512:30D48788248543D9E79527DA5CB5EB6210312FA82452DAB7199190799AB2E5C8B53DB45179E1ACC2634D5CCDCF1185609A2CEEAE5DEBA7766C3EFA586734B3D3
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................>..........T.......8...........T............%... ......................................................................................................eJ......, ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER33A0.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8350
                                              Entropy (8bit):3.702330264290132
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXy68GD6YWu6sKoGgmfcLypB989bdFsf9/m:R6lXJC68y6YH6dgmfcLvdefo
                                              MD5:7826FB8C3DBB5A63E4DDD4067914643B
                                              SHA1:44879F225F344C7CD708F7E1880108CE9E398F94
                                              SHA-256:0171285F529AEC7E483D3F05B85D4C59F120F746CEEA7FFBCF456D9A8D9E473C
                                              SHA-512:BAF1AB4E7C8451E64BE83F09A7BAE77E640D37E8342C532EB6E5B36F2A1B0FA43B70580F2386F2D145BDC6B2CB03A3C08C9349B5F5B379690B75C6938112C676
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER33E0.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.4756846381811295
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYGYm8M4JYs4FTgf+q8fSbNHpN9d:uIjfCI7Nh7VyJ6gfhBpN9d
                                              MD5:5FC76C9C32D6C6AE0FFFE39D6E067C80
                                              SHA1:BADCF3BCFBE414C1EF47ACDE474C519E399D7FFD
                                              SHA-256:5E0E89A724B00200D7288AD5EB376C50D211281AA9C80F54508168A0AB6B41E8
                                              SHA-512:10D6556C7AA12B999AE27E52CB0C34001F9BB92BA187A8FF5A6ED0178A3EF7E27AA7BCAE705D617C61E3D5EBC10F1688EA588E1A6861814D2DE068183F5CE235
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D06.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:44 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):92934
                                              Entropy (8bit):1.941596436204058
                                              Encrypted:false
                                              SSDEEP:384:n+myiKU+xAk53N2ujP63Yyj72PzXs7Xw8qc/qwRYs9xfb1+7mw7oX6AwFmT:n+mLTnk53NTjiRjC7Tx6oF
                                              MD5:BEEEC09B5F7530A8ADCBA150FD0CDEDE
                                              SHA1:5B86D2C10212272AFFF5A8464EF1B2262C8545B1
                                              SHA-256:20BC09461BE5D2B8772888FE48E6B8999155D595C742C3986FD5946A4D5CA661
                                              SHA-512:7B38190B67E2BA7C380E4E8F254BDE4C15B421F5D6636BF5B34498678E0916F1D5D5E9AC6A59DB118E2D337385F0F20CBDF7D05EB9DE61C04591F3E13222525B
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................D..........T.......8...........T........... '...C......................................................................................................eJ....... ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EEB.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8352
                                              Entropy (8bit):3.704035355314841
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXw636YWnn6sKoGgmfcLypB089bwFsfTwm:R6lXJA636Ykn6dgmfcL8wefB
                                              MD5:470D0F93B4934F178AF4EC7080C19877
                                              SHA1:0697A7D64E4FFDE4F835332804339CE3B39DB6A5
                                              SHA-256:B4D786A7684C155D888AB94CF518363DC8F2080575681D80CDD3C5A56F200BF6
                                              SHA-512:B8C91491368D92D5F8DB609B7FE92B815B8E5BDAE5954B4CEF136D3E516371730F48FA83675129D3BE706D2DCBDC7F8471B9F09A3711A75797046A4FC40CE7F1
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3A.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.472820931686653
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYXYm8M4JYs4Fvm+q8fSbNHpN9d:uIjfCI7Nh7VPJnhBpN9d
                                              MD5:A59053F0BE7F510B21263B1700EBC3E8
                                              SHA1:518C97E7380AE01287214B28874A01DF6DE224D6
                                              SHA-256:850F1E7BB61790920B282DC5DE5C7B7669ABDC5AE5141247FA744B69118E30F4
                                              SHA-512:0BA35E8FBFE6701B6DDFAB4DF995994DF73C0EDC55C0B266F2995DFF1B5DB69B00DB63C9A1B82C3DEF90CB6AF0D27F2F811715EEB17CF64224C89B9F1B61C085
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D6.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:31 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):59240
                                              Entropy (8bit):2.111828969798869
                                              Encrypted:false
                                              SSDEEP:192:OAC60DXS7XZz6c4oSODXw5NOGOEKZsWfsOf5Nr1Ym3cc747MkTChms:060Kzj4otk5NOXsWfs6NXcx7Mk9
                                              MD5:5EA53FF0CC07E547A5EF90B6CE63CFB9
                                              SHA1:22B836885E8709267BCF9D9C626159117E306A3F
                                              SHA-256:8595F21A767B3370B351B556A0BA7092A1185B1A3871787A28A3177842F3F8F8
                                              SHA-512:7090959DDB88216865D59E2A2CA84272D2E6229CE78D2A21601A51C4E1A6AD1974F061DAE90C89CD8C74554F402F70B1F30257759DA81DB0B053ADBE88A7F72A
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og....................................t....1..........T.......8...........T...............`.......................................................................................................eJ......<.......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER993.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8350
                                              Entropy (8bit):3.6983820874632722
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJXY61t6YWe6sKoGgmfcLypBg89baFsfRem:R6lXJI6f6Yn6dgmfcLQaefR
                                              MD5:32AFA5550D1AF7E7193D8AA20479CC3A
                                              SHA1:40EE12F571F0E111AE8D9EC1A3ED683BC6AD86AD
                                              SHA-256:FDFBE6F2C8E2F27CEEA878B1429E6AC576C51E86EDAF79E6E38B69CA44B708DE
                                              SHA-512:CBD71DF2CEA835F8F0F0A704DF9876972D8DAF65E5995ADA657F306DDC16B4DB0A6B7748E57C94E0F96909E126AC425F3F0BD80E1D9A98A1E626C2F567FF48D1
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERA20.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4604
                                              Entropy (8bit):4.476262652562879
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VY/Ym8M4JYs4FMHe+q8fSbNHpN9d:uIjfCI7Nh7VjJZHehBpN9d
                                              MD5:FC5A13B638ED3340B08A2E409C7317A1
                                              SHA1:94BE3B063A6F13A21A0BD5DAB78ED907D8224B3C
                                              SHA-256:FA2034D672679CC59E3EDBC38E3AD4EEEECB1196AE89ABC25A1A48F9417A6625
                                              SHA-512:513E99463CF57C140C019CBA63A4DE7FD0AB0C292C7D539F22128EB58EF85F459F4003C4AC2AC7D49D7D21ABBFB18068EE3BBC09793DA5362B8388FB84112FD6
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD19A.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:18 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):77102
                                              Entropy (8bit):2.3295306692474314
                                              Encrypted:false
                                              SSDEEP:768:WyxzE0JkfiUX3Nx2LTtix41Z6MhJuWu21llPp:BEmU4Tsa3/Blx
                                              MD5:30609B782A02DB06848ABA70E0949637
                                              SHA1:1048CFB930947F15207C08A84F8D5627735F116A
                                              SHA-256:034057BE6C92F1B409DC3590AEA6F60EBF9419E05F788195EBBC69ED2C206552
                                              SHA-512:C1A08B804B31FE4E3D34DF31198B5F7CDAE4C5C6C8E640325D55FFAB11494DDE9350384981A856CE6FEFE81FC88962FAD3754F0490EE857B371615FDB275C477
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............$...............,...........z8..........T.......8...........T............+..6.......................................................................................................eJ......`.......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6AC.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8366
                                              Entropy (8bit):3.7035916588017557
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2V6uTe6Y9cSU9cbgmfvLypBr89bJ9sfYjm:R6lXJU6b6YWSU9cbgmfvLpJ2fB
                                              MD5:615ABF404F7EFE6128B9F183BD27722C
                                              SHA1:9F38E45282ACBEB769A3004763DBB8A6C4A9C263
                                              SHA-256:2C0E96678FBC35B806D8B1C2FD19E31F97063E78A32895C1BB99855B53E0A21E
                                              SHA-512:78E01A506AE9962E5B02883E8D16BD93C5C6CE97D0D9AF462C1E44E11150B04DDFA0B13BFDBB09C29FB75DA16CFFF17CAD44E3BEC2C8DD32F52C2FF318E85F06
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6FB.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.499920821347055
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZsuJg77aI9LEVWpW8VYeYm8M4JIs4FUR+q8MSBVO4kw81d:uIjfCkI7Nh7V2JhmO4kw81d
                                              MD5:051746D5D0E929862E1BFDD1869AAAD4
                                              SHA1:E9C5069A89D2ED238C4E4F0A5EF1E3CB4C0E82C2
                                              SHA-256:5C7EA8865690AE9F32468502B8D1C92E3762547F0621FA7BCACAB20B41A4C7D5
                                              SHA-512:93F64D3D855E66DE23B7B60290E9A4FFD74C2C0D3BEC708F9740C40FD5127BED48B8E8D45CF8A2F8058E454420B0EBA6C5C1B863B323475F1AF92D7CD486AFE4
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615270" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9D7.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:19 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):78754
                                              Entropy (8bit):2.3758548711487535
                                              Encrypted:false
                                              SSDEEP:768:ENzE0skfaoXOFNsU2Itix41Z6MhJuWu2St2:wEiD6sa3/Mt2
                                              MD5:74C9FEF35BB6D9F2FF83ACB392EE890A
                                              SHA1:7568507E72C7C0D81751940A1A8D0CAA2CB35696
                                              SHA-256:0FA6A1EA3DC9934871ABDE124C141080E18CDE42CFE764CED6375D2451D75916
                                              SHA-512:C363C584BFC43E6A2D3AED15F40ADA2970B28FC2C86179D6586ACE743E69B82DB835FD9DAC40AB83B14F47958873B4F9A6A95EACB725263AD2B296E562501FB8
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............$...............,...........z8..........T.......8...........T............+..........................................................................................................eJ......`.......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAB3.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8366
                                              Entropy (8bit):3.7027290869494385
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2c6ZTe6Y9sSU9+uVgmfvLypBt89bA9sfsgm:R6lXJ9606Y2SU9+MgmfvL/A2f6
                                              MD5:5CCF5A0431BA6203325432837C270ABB
                                              SHA1:888161DCCA11290C5916C69C0A7D63B9ED61DFB3
                                              SHA-256:733B960658DEE54FB99626707005E192FF337BF7909AD3A950B28DD6D58B7AB4
                                              SHA-512:1F463995C706AE0ABC210C2A3D7D66198C75DC4E8C4AA07137EF248E2F84299F3B6620BD72B9B56B2481A82C1640ECA32D544448496F7B502060483CECFC68E7
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAD3.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.501109396440826
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYCYm8M4JIs4FTC5+q8MSBVO4kw81d:uIjfCI7Nh7V6Jd5mO4kw81d
                                              MD5:B846D29003EE3D1D995FFFA02FFE351E
                                              SHA1:145564128A464C91E01E07823155F98A24395A05
                                              SHA-256:F77EE9C7CCAD7954C692CEEEBC9954BE57B3EA6E837B3D6C415675676C137418
                                              SHA-512:0B491A87EA4AEF1DABE2AC09A30BE6C799592FEC3B47C1267BB652D69157101174EB129ED74AACACBE7775103E6FC45959F1439749982221239AE9E43A5A61E8
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCB5.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:19 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):84294
                                              Entropy (8bit):2.362968097001878
                                              Encrypted:false
                                              SSDEEP:768:WdotUkf1PXTUwNwZbibixo1Z6MhJulnu2+to:PDIbbiGq3sYto
                                              MD5:1C9885EBB721C9ABC60A95D9F469C1CE
                                              SHA1:5D8AC0906CB88FE878EFA549A5D99EFEB09FA341
                                              SHA-256:14CEDF9AF770FB461938AD7EAE5F81E3EBF6FD3136B899B0E0E04D964F31C421
                                              SHA-512:26F4C661C3CEC3495FF7450C8C3A63C643F676E33038B7B1ABCEE901E9F45494657D7F5C514E10B494088F6648A790BAC9B50E7869B5735A529BC4E1CD028274
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............T...............\.......D....<..........T.......8...........T............,..^...........x...........d...............................................................................eJ..............GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD53.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8366
                                              Entropy (8bit):3.7014328625588204
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2x6J76Y9hSU9TSVgmfvLypBG89bA9sfD0gm:R6lXJw6F6Y7SU9TwgmfvL6A2fO
                                              MD5:603E43BBD0D46BB7E0DC44E1C84BB91D
                                              SHA1:1B63C10C2B1F85831103EC1C996A81F32875D277
                                              SHA-256:6DE3606923C4836BFC6DE39C410EBD1DBF838E66C11011343E7B12941971FD6C
                                              SHA-512:3EF5384A76216FF63C128756A7A05AF724C4AD5795C8CB394EA32CAC5559F1A558EE4B10DB063617A6C9DFED98B08A95C952850EEF3C2FB1BF4FC3958B67D4CB
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD83.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.500247580987624
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYXYm8M4JIs4FQ+q8MSBVO4kw81d:uIjfCI7Nh7VTJxmO4kw81d
                                              MD5:55C4359CB2E08E106E7A6F15AA945C52
                                              SHA1:C369E28218081A9DDDD0A854B7F17850DD724037
                                              SHA-256:E8F50FF29AE1CA9AA5CE48FDDE1591C611D4C57FE0A83038E2D8110A97127688
                                              SHA-512:274BAC0C83049A694674A6EC7D92759D07306B0F957469E632402A12F4B323828588E759C21F3F39FAFA98BA4EFADFBEBA473E3AA3DE2CC52F1C3CF29B77A992
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE188.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:21 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):91128
                                              Entropy (8bit):2.100789020500974
                                              Encrypted:false
                                              SSDEEP:384:cuBEjKIkf5suHXT+gcauDA4PPU42sJNG2El0x+LDUx4Xfo:cuyjKIkf5lXTdcauA4Pr2+G2l+L24vo
                                              MD5:4603A16F1581FD7DA42A6D18F52FED02
                                              SHA1:444458C9B8C86D035EF929E7468475B47D221066
                                              SHA-256:B0E58FE309054E82084B4876EAD14DF3C7A8EA844795A878A56EF82DFB1AFA91
                                              SHA-512:653C39002510A7174270E7666B2324C8700101D5FCBED16C2DEDBDE7394A6F497EB06C2D9D50337F4E8DF1B025C303FC7375A71DA203858A16C1676DF81DC435
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................A..........T.......8...........T................5......................................................................................................eJ......\ ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE215.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8366
                                              Entropy (8bit):3.7032872408475495
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2Xh6V6Y93SU9SGgmfvLypBL89b79sf7pm:R6lXJsh6V6YdSU9SGgmfvLZ72fY
                                              MD5:8F627AAB5FDF6898F6D0E99ED2B897C9
                                              SHA1:F8E1FC4EF5C465D97B600B3EEF95C2B6F0D5082A
                                              SHA-256:30C503745D98AA875226D5797A0E1EC435C52FB51A78D3C2A8D92C346EBD6CAD
                                              SHA-512:854B9D9A5D019D2E218A9F497FE3FC0608732A91A1C2ADD593CB97D6C60820BDA39A28DED6FD3CE053E0907924E6C62E9532688341E4AD101BE00DCD34FD099D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE245.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.499112958953283
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYWovYm8M4JIs4Fq+q8MSBVO4kw81d:uIjfCI7Nh7VHDJnmO4kw81d
                                              MD5:219CFDEDABF90356BE213A922B29D199
                                              SHA1:3A7A012846FBFAE77FF6A2E5EAA049F2146E10C1
                                              SHA-256:7446BE840697438D628CAF6F5AA391C0555B368836F4E1A30ADE255F62AEEBF4
                                              SHA-512:E60384AABA14C2663B9F3A46330D437E24733412619016529C6C78757DA4D71DC01CFDAEFD37744CB4A6FF1CA74615F3DECFF1A5C5611F14FC711ED736E8E273
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE495.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:21 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):95244
                                              Entropy (8bit):2.0110875006916427
                                              Encrypted:false
                                              SSDEEP:384:gcOxuBfj5DkfbYiHXlDfZcaXDAvsy9m2BG2EPhE7uTqTGgaHIboPMTb/tgaA:gjxUL5DkfbNXl1cazAvhDBG2p7hgf
                                              MD5:F3913E81A80BBDE7240FC112BE2FBDD9
                                              SHA1:C9597E6C881D356CAB5372244D8B0C5063E9ECDB
                                              SHA-256:BC6318145B1B341C042FEE8FE1A073823EEB74F4087247CC2920698B60E7C6BA
                                              SHA-512:1F333FD23E59870CADA318F615A89B79D412A5E7E89883037943D46CE9F0004E2127A7ACEA2F52F58074D318B8D232405DFF3BE839B8086B0C3521A11C8AA796
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................D..........T.......8...........T............-...F......................................................................................................eJ....... ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5DE.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8366
                                              Entropy (8bit):3.703992056433316
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2L6826Y9PSU97NgmfvLypBO89bA9sfiAm:R6lXJq6826YFSU97NgmfvLyA2fU
                                              MD5:D03F57ADE39E5F3EF15BE72012B1BBC9
                                              SHA1:DE183BAAB21FE2A992CE9A0E9CEAAB815E4F692C
                                              SHA-256:F4D7240BA4A5B0D3C1648727BB7EC44CB236A1FCACDC692BAB957E1FB4734ABE
                                              SHA-512:CD6DBFB3A67D72C963FDF39131F4DF2E64F0C0BA64FBBD4BFDD0B58B07F0F465E524B4C799E526DB3C59F7828B8C2C4A0CDE082E11819FA4D6F883A3B96C6CDB
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60E.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.498894745135956
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYSYm8M4JIs4FOq+q8MSBVO4kw81d:uIjfCI7Nh7VGJ/qmO4kw81d
                                              MD5:CAC4A32695E31730BCCDBC273E9C0A2B
                                              SHA1:8AD38EFACC3A908BBEDA4A5A6D2CA0EBE6B8E15F
                                              SHA-256:5B837239E88A81F50BE18CA2696F008F313B779F91F36F0F462A01B9A5DC694F
                                              SHA-512:0485E36B961D234D1EEC4BD8949212A19E3AD8E918D9CFBDAD90899E4CBD013B93B90CD5DEE768DF6D95A236BEC1DBE334015FF30E09AC38D3DB311C5F2FBC8E
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE88D.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:22 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):94820
                                              Entropy (8bit):2.0227147313677922
                                              Encrypted:false
                                              SSDEEP:384:aE0Bfj5TFkfhx7UOxHXlDeLGsmVaTDAum2seG2E+jvec/QY5HtjSbjvDbnSHvnvM:aEGL5TFkf/jXlIGla/AuDseG2Cjz
                                              MD5:11F105E747731F107A89241D33E47233
                                              SHA1:C9624FFB3CE929C86C21F86314CD0653121C3A74
                                              SHA-256:874D70FEE697CCBF2616D5F79AAA192DEF3BD58549CA958A38196EC6DCF0648A
                                              SHA-512:D2BDD283AD1AE79914E08A776F6C95B66855246033FB80204A49AE24F3992D4687E6E5597954CE701B4DC7403FF300FBD84542B87CAB88E9258E0A4AC51DF7CD
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................D..........T.......8...........T............-...D......................................................................................................eJ....... ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA14.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8368
                                              Entropy (8bit):3.7049010425704902
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2jB68P6Y9qSU9mdgmfvLypB089bJ9sfeDm:R6lXJYB68P6YgSU9mdgmfvLUJ2f7
                                              MD5:1A62F6843DEB8E286F89638F68CC32E4
                                              SHA1:D45B204249B11C19AD22CED48076E026ADD95E55
                                              SHA-256:3C59986F2E3DDA0AD47509B452123CE6765E6B75529F7A4ED56FA4FEF61ECC9B
                                              SHA-512:00B43BAD77C4D759EC5A73ACE244B32DC99E5C4E4FE2D8EB3FFF925454DB9F4F236064B3013569A5F83937CC5C66BE1476C75E84327FB5AF7AAFB16AC1AC858D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA63.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.500105586803633
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYSPYm8M4JIs4FPd+q8MSBVO4kw81d:uIjfCI7Nh7V3SJ0mO4kw81d
                                              MD5:D346C9E4FAF9A9E6277F00700895B572
                                              SHA1:9C0B4263A5876C82444F56337B5AA7523C784978
                                              SHA-256:E4AF59CD5D6CBCE722BC09F8C38E869722C9F8DCB72FB79DAC4233191AFDBC66
                                              SHA-512:EB086C041F783C1D5946A6DE774ABB8DBAC3BEE5C78C66969C7DA2092887C9A730DDC6AF8834271DC5B533AE2E33BED9D19809CE6FF0533D88A48667ED236D04
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDEC.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:24 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):103634
                                              Entropy (8bit):2.210681098408713
                                              Encrypted:false
                                              SSDEEP:768:LQL50kfHskXlXIkMtH7AuDsRG2wtMA6/e+:wek6dtHc6MqtMJ
                                              MD5:8F7700D0A1DF7F708840FCF340A93E38
                                              SHA1:F5E8102A7F4690449DA3D6CA15691AD458756103
                                              SHA-256:8790D8E68E56B0AC8DDD8286A0C788A51D6B5FB627D227D64AC0A0E33B851EA0
                                              SHA-512:6B320CBF8FEBC07193FE3317485F8C4ABB38BF7E5F14F79D93A82985910022528389CD4A4A5A1F00030189B7DDDB1404B8AFA34FE55F8B0D75E5662D99F60A5C
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og.........................................D..........T.......8...........T...........@/...e......................................................................................................eJ....... ......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEB8.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8368
                                              Entropy (8bit):3.703340364779308
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ296ek6Y9tSU9vggmfvLypBT89bW9sfmym:R6lXJk6ek6YnSU9vggmfvLBW2fa
                                              MD5:D39720176F8CCEE67ACBBE11AC4A3A38
                                              SHA1:1EB8B95AFEDAF2949FC4151CCF3BED2BC6FC7C6D
                                              SHA-256:62C88F2CF1E2B17728EC7A47D183C6D04FD0BDC048BAD0E7FE1C78B4AE63C58C
                                              SHA-512:317F6CBAC0ABCFD108011331567863B991C426BCC8EB28FA95173B629D8A7EFFDAA1A8A430E3D114484B9C0281B81FECD6F425722AFB84DACAA7CF398CEEDDCB
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF26.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4619
                                              Entropy (8bit):4.498934585724307
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYXYm8M4JIs4F7MO+q8MSBVO4kw81d:uIjfCI7Nh7VXJWMOmO4kw81d
                                              MD5:24320A2D01017608B1D182169B78073A
                                              SHA1:5AE2890533DF24F2E715E82C3D282EA0A4FE6256
                                              SHA-256:B4D965A64A0748FB830227C99F19336A0F3BD77831654B04C9CBB59E5A37A77A
                                              SHA-512:0F0F63B6F9D499F9E4BF9875EB3C20253DE9A4D24A0FCDD2565D2C07B6684328675E5CB28B07BE43813127C020140C8849D15664730B6A8CA6CD5F689101EA92
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF30C.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Tue Dec 3 15:28:25 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):39086
                                              Entropy (8bit):2.5377839500656973
                                              Encrypted:false
                                              SSDEEP:192:McN2XSbI07XWhXed0hXHNNODXwfw2pNaBYW5rWjG+ult/tvI/HyB1Pu5b24zePyd:bBI0S80lNAkfXaBYW5UePYH4RQxz
                                              MD5:F33A86072C780D9B7B0E031E0E535E38
                                              SHA1:CE4AD4C4D8C7752DABE3C253806C6CE451873CA0
                                              SHA-256:8F0983C9086771CADB6887168685EE34C9AC97E3A9478DCBA0F6BAE604A999AB
                                              SHA-512:BE10EE47895E5C98C6AC5C4CF2307ADFE7BB9CBE818AF6031F3478D0FC1515B923BFE5C60393C8035BC90F79E8B5C3480B4E38A0932F7707B956DA047570790A
                                              Malicious:false
                                              Preview:MDMP..a..... ........#Og............4...........T...<.......T..../..........T.......8...........T...........(3...e........... ..........|"..............................................................................eJ.......#......GenuineIntel............T............#Og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3B9.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8328
                                              Entropy (8bit):3.6942740956862687
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ2e6ECIe6Y9hlSU9wqgmfdn6rypDZ89bf9sf0k1m:R6lXJX6F6YLlSU9wqgmfd+Zf2f+
                                              MD5:8BED9D606EB5882ACE9854517920122E
                                              SHA1:3DBFA7921CC6B123792668735A1D2E54AE25CA2B
                                              SHA-256:2D3C38117D4E81B7353CC1D5DAE3A9FB3B0605749ECB42CE81BF7A15F58985B4
                                              SHA-512:56B640B76C89FD92E8F955EB31888D35E9D95E694A48FD0FE4273BC4E4714E402D91838FA23F1F45CFD532920B0C62387A19978F43CBAC874BE9FBE34A946E81
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF437.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4579
                                              Entropy (8bit):4.465739301965919
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZKJg77aI9LEVWpW8VYrYm8M4JIsMjFXM+q8MZP0VO4kw81d:uIjfCI7Nh7VLJdqO4kw81d
                                              MD5:16F29BBC40537F1B2DF0A1AC1E8B2C7B
                                              SHA1:BDE9AF6DEB6E4F49AC307266053C24B2D8A00DAB
                                              SHA-256:7E357E0C4992A2B6C24D9F7B4F5AB8142F85A70C12482F9C3F5544081EA38797
                                              SHA-512:504D1C9D506B5CDE605FC85FD63FAFB4036D32F74AB229A09254C20C862378893C3C290D038CD632EA162E189E5BF5EE889C98DC8890BC5179F8E87153E62281
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="615271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\yava\yava_vd.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):963
                                              Entropy (8bit):5.013758486871551
                                              Encrypted:false
                                              SSDEEP:12:tkluJnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qluNdVauKyGX85jvXhNlT3/7AcV9Wro
                                              MD5:A0B25AA7ACE7B58B8A68A3B043CBD1A2
                                              SHA1:557B3E91B19FF73B980577D21B0759ACFB694334
                                              SHA-256:FF65B6A6CAF43C5830DA137836E99CC4F2DC511116EC72A8F180A17FCCB17526
                                              SHA-512:581BF3DEEA3713D383A87024CEA8C3B913FE1138C3D5A9D9D50854EB12DF8D8FFF3239ECB5DC21A24CD337DB7CE4655E6EB373B9524E6BBF160EAB31323CE894
                                              Malicious:false
                                              Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                              C:\Users\user\AppData\Roaming\yava\yava_vd.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\E84Ddy7gSh.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):466432
                                              Entropy (8bit):7.204088809656108
                                              Encrypted:false
                                              SSDEEP:6144:sPm7KDoBlJL4vhsEAC7rWzLKmVn4RIM0EeNXWizh/Kkc6k4qHVWO1XO/gvJ/j:IELksjq0KmFbEeJN1Kkc6xqHVlVj
                                              MD5:60E18D4606431A33C406C1AD21DDC4E2
                                              SHA1:F8E773F104FCFD6DF48EE21591CE8890FD8942C5
                                              SHA-256:7FCE076AE6458C561DCB1E5CD6A1DE47AA114D5758DC791F0A94402AC4A9F2EE
                                              SHA-512:00C74A249BE8AC164BE201161ACEB35E272F007E65EA6D740043BA89A55A69B7A01283D50FD446E774DF05F869D9D6418F8D82FFF5422133A36BEBC2F8FAF22E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 68%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o..=..o..=..o..=...o....o..o...o..=..o..=..o..=..o..Rich.o..........................PE..L..../e......................r.....h.............@..........................Pw.....C=......................................T...<.....u.@...........................................................@...@............................................text............................... ..`.rdata... ......."..................@..@.data...|.o.........................@....voguxu.......u.....................@....tls.....3....u..4..................@....duhasid.(...Pu..(...(..............@....rsrc...@.....u......P..............@..@........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\yava\yava_vd.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\E84Ddy7gSh.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Windows\appcompat\Programs\Amcache.hve

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.46813687236089
                                              Encrypted:false
                                              SSDEEP:6144:MIXfpi67eLPU9skLmb0b4nWSPKaJG8nAgejZMMhA2gX4WABl0uNCdwBCswSb8:xXD94nWlLZMM6YFHw+8
                                              MD5:39714129D0ADF7A8A042F6579FF1DCFF
                                              SHA1:FB1D90791F9FFED049BF718CDFA98F9C3192F631
                                              SHA-256:BC8B5C6E1842FB7DB1BCEB7FC066BA1DFCA94FA2CD4AC807FEC338143E2208E2
                                              SHA-512:AB40F798920DF29D3C896E3AD321AF1A8C07D4351F71908274D9178E0639E5F4891989E1D1B910C12D91501C180E1EA38E1561A0F477AB188ABC80F56AC26E7F
                                              Malicious:false
                                              Preview:regf=...=....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.m...E...............................................................................................................................................................................................................................................................................................................................................B..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.204088809656108
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:E84Ddy7gSh.exe
                                              File size:466'432 bytes
                                              MD5:60e18d4606431a33c406c1ad21ddc4e2
                                              SHA1:f8e773f104fcfd6df48ee21591ce8890fd8942c5
                                              SHA256:7fce076ae6458c561dcb1e5cd6a1de47aa114d5758dc791f0a94402ac4a9f2ee
                                              SHA512:00c74a249be8ac164be201161aceb35e272f007e65ea6d740043ba89a55a69b7a01283d50fd446e774df05f869d9d6418f8d82fff5422133a36bebc2f8faf22e
                                              SSDEEP:6144:sPm7KDoBlJL4vhsEAC7rWzLKmVn4RIM0EeNXWizh/Kkc6k4qHVWO1XO/gvJ/j:IELksjq0KmFbEeJN1Kkc6xqHVlVj
                                              TLSH:40A4CF12A2FB2911F7B34B314EBAD6A4266FB9235EE4725F3204663F09712A1C533707
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o...o...o...=...o...=...o...=...o.......o...o...o...=...o...=...o...=...o..Rich.o..........................PE..L...../e...

                                              File Icon

                                              Icon Hash:0819234d010dc951

                                              Static PE Info

                                              General

                                              Entrypoint:0x401668
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x652F8FEB [Wed Oct 18 07:57:31 2023 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:eb87f6f93a30d1ccddb20207cf8c00c9

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F178525383Ch
                                              jmp 00007F1785250AFDh
                                              mov edi, edi
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 00000328h
                                              mov dword ptr [004513C8h], eax
                                              mov dword ptr [004513C4h], ecx
                                              mov dword ptr [004513C0h], edx
                                              mov dword ptr [004513BCh], ebx
                                              mov dword ptr [004513B8h], esi
                                              mov dword ptr [004513B4h], edi
                                              mov word ptr [004513E0h], ss
                                              mov word ptr [004513D4h], cs
                                              mov word ptr [004513B0h], ds
                                              mov word ptr [004513ACh], es
                                              mov word ptr [004513A8h], fs
                                              mov word ptr [004513A4h], gs
                                              pushfd
                                              pop dword ptr [004513D8h]
                                              mov eax, dword ptr [ebp+00h]
                                              mov dword ptr [004513CCh], eax
                                              mov eax, dword ptr [ebp+04h]
                                              mov dword ptr [004513D0h], eax
                                              lea eax, dword ptr [ebp+08h]
                                              mov dword ptr [004513DCh], eax
                                              mov eax, dword ptr [ebp-00000320h]
                                              mov dword ptr [00451318h], 00010001h
                                              mov eax, dword ptr [004513D0h]
                                              mov dword ptr [004512CCh], eax
                                              mov dword ptr [004512C0h], C0000409h
                                              mov dword ptr [004512C4h], 00000001h
                                              mov eax, dword ptr [00450008h]
                                              mov dword ptr [ebp-00000328h], eax
                                              mov eax, dword ptr [0045000Ch]
                                              mov dword ptr [ebp-00000324h], eax
                                              call dword ptr [000000DCh]

                                              Rich Headers

                                              Programming Language:
                                              • [C++] VS2008 build 21022
                                              • [ASM] VS2008 build 21022
                                              • [ C ] VS2008 build 21022
                                              • [IMP] VS2005 build 50727
                                              • [RES] VS2008 build 21022
                                              • [LNK] VS2008 build 21022

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4e7540x3c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x27580000x1cd40.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x4e4880x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4e4400x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x4d0000x180.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x4b50f0x4b6000db0b2fd4778658c9d8e89ea3d69f8f2False0.9515702736318408data7.936561536852126IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x4d0000x201a0x2200e848fcdca79a56defd5334508ba260dfFalse0.36178768382352944data5.45893366550017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x500000x26fff7c0x1400402422ccc4cc7ed585838cf6dd57a491unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .voguxu0x27500000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .tls0x27510000x33fd0x34005c5e82152a1b2e04e3c351b6be64f3a1False0.0029296875data0.001137551124542444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .duhasid0x27550000x28000x28001276481102f218c981e0324180bafd9fFalse0.00322265625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x27580000x1cd400x1ce0022834ce058508ffaef843e4cb4629898False0.4853219696969697data5.455867827182318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x27589d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5719616204690832
                                              RT_ICON0x27598780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6371841155234657
                                              RT_ICON0x275a1200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6941244239631337
                                              RT_ICON0x275a7e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7521676300578035
                                              RT_ICON0x275ad500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5154564315352697
                                              RT_ICON0x275d2f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6172607879924953
                                              RT_ICON0x275e3a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6225409836065574
                                              RT_ICON0x275ed280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7526595744680851
                                              RT_ICON0x275f2080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.7515991471215352
                                              RT_ICON0x27600b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6845667870036101
                                              RT_ICON0x27609580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5869815668202765
                                              RT_ICON0x27610200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.740606936416185
                                              RT_ICON0x27615880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.6459543568464731
                                              RT_ICON0x2763b300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6827868852459016
                                              RT_ICON0x27644b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.6843971631205674
                                              RT_ICON0x27649880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39418976545842216
                                              RT_ICON0x27658300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5573104693140795
                                              RT_ICON0x27660d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6192396313364056
                                              RT_ICON0x27667a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6365606936416185
                                              RT_ICON0x2766d080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.42917448405253283
                                              RT_ICON0x2767db00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.42418032786885246
                                              RT_ICON0x27687380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.4671985815602837
                                              RT_ICON0x2768c080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.2801172707889126
                                              RT_ICON0x2769ab00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.3677797833935018
                                              RT_ICON0x276a3580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.3790322580645161
                                              RT_ICON0x276aa200x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.37427745664739887
                                              RT_ICON0x276af880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.2594398340248963
                                              RT_ICON0x276d5300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.27696998123827393
                                              RT_ICON0x276e5d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.2872950819672131
                                              RT_ICON0x276ef600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.3280141843971631
                                              RT_STRING0x276f5f80x9edata0.5949367088607594
                                              RT_STRING0x276f6980x48adata0.45266781411359724
                                              RT_STRING0x276fb280x4cadata0.4363784665579119
                                              RT_STRING0x276fff80x688data0.4354066985645933
                                              RT_STRING0x27706800x6e6data0.43261608154020387
                                              RT_STRING0x2770d680x7aadata0.42252803261977573
                                              RT_STRING0x27715180x71aAmigaOS bitmap font "e", fc_YSize 26880, 19712 elements, 2nd " ", 3rd "p"0.4317931793179318
                                              RT_STRING0x2771c380x89adata0.4150772025431426
                                              RT_STRING0x27724d80x6badata0.4262485481997677
                                              RT_STRING0x2772b980x578data0.4421428571428571
                                              RT_STRING0x27731100x87edata0.41030358785648574
                                              RT_STRING0x27739900x890data0.42244525547445255
                                              RT_STRING0x27742200x5bcdata0.44618528610354224
                                              RT_STRING0x27747e00x4e4data0.4488817891373802
                                              RT_STRING0x2774cc80x76data0.6440677966101694
                                              RT_GROUP_ICON0x27649200x68dataTurkishTurkey0.7019230769230769
                                              RT_GROUP_ICON0x276f3c80x76dataTurkishTurkey0.6779661016949152
                                              RT_GROUP_ICON0x275f1900x76dataTurkishTurkey0.6610169491525424
                                              RT_GROUP_ICON0x2768ba00x68dataTurkishTurkey0.7211538461538461
                                              RT_VERSION0x276f4400x1b4data0.5894495412844036

                                              Imports

                                              DLLImport
                                              KERNEL32.dllGetConsoleAliasExesLengthA, DeleteVolumeMountPointA, OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, InterlockedCompareExchange, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleMode, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, GetNumaProcessorNode, GetBinaryTypeA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, SearchPathA, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, QueryDosDeviceW, GetModuleFileNameA, GetModuleHandleA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, GetTimeFormatW, PulseEvent, HeapAlloc, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
                                              ADVAPI32.dllClearEventLogW

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              TurkishTurkey

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-03T16:28:34.929805+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449734198.23.227.21232583TCP
                                              2024-12-03T16:28:50.463184+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449752178.237.33.5080TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 3, 2024 16:28:30.012937069 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:30.133028984 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:30.133126974 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:34.446923971 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:34.567051888 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:34.835768938 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:34.929805040 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:35.028218031 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:35.117258072 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:35.124397993 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:35.247972965 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:35.248059034 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:35.369424105 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:35.634967089 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:35.820352077 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:35.826847076 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:36.007884026 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:37.461409092 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:37.582102060 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:49.003109932 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:28:49.123615026 CET8049752178.237.33.50192.168.2.4
                                              Dec 3, 2024 16:28:49.123744011 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:28:49.124042034 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:28:49.244146109 CET8049752178.237.33.50192.168.2.4
                                              Dec 3, 2024 16:28:50.463073969 CET8049752178.237.33.50192.168.2.4
                                              Dec 3, 2024 16:28:50.463184118 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:28:50.502876043 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:28:50.622834921 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:51.502242088 CET8049752178.237.33.50192.168.2.4
                                              Dec 3, 2024 16:28:51.502305031 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:28:59.793692112 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:28:59.851716995 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:29:00.216393948 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:29:00.337452888 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:29:30.041019917 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:29:30.087930918 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:29:30.734889984 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:29:30.855194092 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:30:00.294353962 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:30:00.351924896 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:30:00.673379898 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:30:00.794569016 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:30:30.578289986 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:30:30.633268118 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:30:30.944405079 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:30:31.064932108 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:30:38.461777925 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:30:38.792440891 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:30:39.445842981 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:30:40.742723942 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:30:43.336479902 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:30:48.523916006 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:30:58.898916960 CET4975280192.168.2.4178.237.33.50
                                              Dec 3, 2024 16:31:00.859508038 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:31:00.914549112 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:31:01.340029001 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:31:01.460362911 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:31:31.558078051 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:31:31.602144003 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:31:32.246922016 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:31:32.367665052 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:32:01.977418900 CET3258349734198.23.227.212192.168.2.4
                                              Dec 3, 2024 16:32:02.024116039 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:32:02.362095118 CET4973432583192.168.2.4198.23.227.212
                                              Dec 3, 2024 16:32:02.482736111 CET3258349734198.23.227.212192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 3, 2024 16:28:48.853251934 CET6334953192.168.2.41.1.1.1
                                              Dec 3, 2024 16:28:48.993839025 CET53633491.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 3, 2024 16:28:48.853251934 CET192.168.2.41.1.1.10x36fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 3, 2024 16:28:48.993839025 CET1.1.1.1192.168.2.40x36fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • geoplugin.net

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449752178.237.33.50803520C:\Users\user\AppData\Roaming\yava\yava_vd.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 3, 2024 16:28:49.124042034 CET71OUTGET /json.gp HTTP/1.1
                                              Host: geoplugin.net
                                              Cache-Control: no-cache
                                              Dec 3, 2024 16:28:50.463073969 CET1171INHTTP/1.1 200 OK
                                              date: Tue, 03 Dec 2024 15:28:50 GMT
                                              server: Apache
                                              content-length: 963
                                              content-type: application/json; charset=utf-8
                                              cache-control: public, max-age=300
                                              access-control-allow-origin: *
                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                              Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:10:28:12
                                              Start date:03/12/2024
                                              Path:C:\Users\user\Desktop\E84Ddy7gSh.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\E84Ddy7gSh.exe"
                                              Imagebase:0x400000
                                              File size:466'432 bytes
                                              MD5 hash:60E18D4606431A33C406C1AD21DDC4E2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2314536540.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2314578868.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.1977291270.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:10:28:16
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1072
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:10:28:18
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1080
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:10:28:19
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1132
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:10:28:20
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1140
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:10:28:21
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1176
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:10:28:22
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1204
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:10:28:23
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1080
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:10:28:24
                                              Start date:03/12/2024
                                              Path:C:\Users\user\AppData\Roaming\yava\yava_vd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
                                              Imagebase:0x400000
                                              File size:466'432 bytes
                                              MD5 hash:60E18D4606431A33C406C1AD21DDC4E2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.4401266733.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4401297367.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000003.2101181064.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000002.4399861671.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.4401153670.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Antivirus matches:
                                              • Detection: 68%, ReversingLabs
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:18
                                              Start time:10:28:25
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 972
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:10:28:29
                                              Start date:03/12/2024
                                              Path:C:\Users\user\AppData\Roaming\yava\yava_vd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
                                              Imagebase:0x400000
                                              File size:466'432 bytes
                                              MD5 hash:60E18D4606431A33C406C1AD21DDC4E2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2340121187.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000003.2171817670.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000015.00000002.2340091843.0000000002F2A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.2338776222.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000015.00000002.2340023233.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:10:28:30
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 704
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:10:28:32
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 740
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:10:28:35
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 728
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:28
                                              Start time:10:28:36
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6308 -s 524
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:30
                                              Start time:10:28:37
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 796
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:32
                                              Start time:10:28:38
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 804
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:33
                                              Start time:10:28:39
                                              Start date:03/12/2024
                                              Path:C:\Users\user\AppData\Roaming\yava\yava_vd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\yava\yava_vd.exe"
                                              Imagebase:0x400000
                                              File size:466'432 bytes
                                              MD5 hash:60E18D4606431A33C406C1AD21DDC4E2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000021.00000002.2367559880.0000000002DDA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.2367590433.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000021.00000002.2367461787.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000002.2366150598.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000003.2264223239.0000000003110000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              Has exited:true

                                              General

                                              Target ID:35
                                              Start time:10:28:39
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 760
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:37
                                              Start time:10:28:41
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 744
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:39
                                              Start time:10:28:42
                                              Start date:03/12/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 744
                                              Imagebase:0x610000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:1.3%
                                                Dynamic/Decrypted Code Coverage:3.8%
                                                Signature Coverage:30.6%
                                                Total number of Nodes:744
                                                Total number of Limit Nodes:18
                                                execution_graph 85383 434918 85384 434924 ___FrameUnwindToState 85383->85384 85410 434627 85384->85410 85386 43492b 85388 434954 85386->85388 85698 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 85386->85698 85395 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 85388->85395 85699 4442d2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 85388->85699 85390 43496d 85392 434973 ___FrameUnwindToState 85390->85392 85700 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 85390->85700 85393 4349f3 85421 434ba5 85393->85421 85395->85393 85701 443487 35 API calls 4 library calls 85395->85701 85403 434a15 85404 434a1f 85403->85404 85703 4434bf 28 API calls _abort 85403->85703 85406 434a28 85404->85406 85704 443462 28 API calls _abort 85404->85704 85705 43479e 13 API calls 2 library calls 85406->85705 85409 434a30 85409->85392 85411 434630 85410->85411 85706 434cb6 IsProcessorFeaturePresent 85411->85706 85413 43463c 85707 438fb1 10 API calls 4 library calls 85413->85707 85415 434641 85420 434645 85415->85420 85708 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 85415->85708 85417 43464e 85418 43465c 85417->85418 85709 438fda 8 API calls 3 library calls 85417->85709 85418->85386 85420->85386 85710 436f10 85421->85710 85424 4349f9 85425 444223 85424->85425 85712 44f0d9 85425->85712 85427 44422c 85429 434a02 85427->85429 85716 446895 35 API calls 85427->85716 85430 40ea00 85429->85430 85718 41cbe1 LoadLibraryA GetProcAddress 85430->85718 85432 40ea1c GetModuleFileNameW 85723 40f3fe 85432->85723 85434 40ea38 85738 4020f6 85434->85738 85437 4020f6 28 API calls 85438 40ea56 85437->85438 85744 41beac 85438->85744 85442 40ea68 85770 401e8d 85442->85770 85444 40ea71 85445 40ea84 85444->85445 85446 40eace 85444->85446 85975 40fbee 95 API calls 85445->85975 85776 401e65 85446->85776 85449 40ea96 85451 401e65 22 API calls 85449->85451 85450 40eade 85453 401e65 22 API calls 85450->85453 85452 40eaa2 85451->85452 85976 410f72 36 API calls __EH_prolog 85452->85976 85454 40eafd 85453->85454 85781 40531e 85454->85781 85457 40eb0c 85786 406383 85457->85786 85458 40eab4 85977 40fb9f 77 API calls 85458->85977 85462 40eabd 85978 40f3eb 70 API calls 85462->85978 85468 401fd8 11 API calls 85470 40ef36 85468->85470 85469 401fd8 11 API calls 85471 40eb36 85469->85471 85702 443396 GetModuleHandleW 85470->85702 85472 401e65 22 API calls 85471->85472 85473 40eb3f 85472->85473 85803 401fc0 85473->85803 85475 40eb4a 85476 401e65 22 API calls 85475->85476 85477 40eb63 85476->85477 85478 401e65 22 API calls 85477->85478 85479 40eb7e 85478->85479 85480 40ebe9 85479->85480 85979 406c59 28 API calls 85479->85979 85481 401e65 22 API calls 85480->85481 85486 40ebf6 85481->85486 85483 40ebab 85484 401fe2 28 API calls 85483->85484 85485 40ebb7 85484->85485 85488 401fd8 11 API calls 85485->85488 85487 40ec3d 85486->85487 85493 413584 3 API calls 85486->85493 85807 40d0a4 85487->85807 85489 40ebc0 85488->85489 85980 413584 RegOpenKeyExA 85489->85980 85491 40ec43 85492 40eac6 85491->85492 85810 41b354 85491->85810 85492->85468 85499 40ec21 85493->85499 85497 40f38a 86012 4139e4 30 API calls 85497->86012 85498 40ec5e 85501 40ecb1 85498->85501 85827 407751 85498->85827 85499->85487 85983 4139e4 30 API calls 85499->85983 85502 401e65 22 API calls 85501->85502 85505 40ecba 85502->85505 85513 40ecc6 85505->85513 85514 40eccb 85505->85514 85507 40f3a0 86013 4124b0 65 API calls ___scrt_fastfail 85507->86013 85508 40ec87 85512 401e65 22 API calls 85508->85512 85509 40ec7d 85984 407773 30 API calls 85509->85984 85523 40ec90 85512->85523 85987 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 85513->85987 85519 401e65 22 API calls 85514->85519 85515 40ec82 85985 40729b 97 API calls 85515->85985 85516 41bcef 28 API calls 85520 40f3ba 85516->85520 85521 40ecd4 85519->85521 86014 413a5e RegOpenKeyExW RegDeleteValueW 85520->86014 85831 41bcef 85521->85831 85523->85501 85526 40ecac 85523->85526 85525 40ecdf 85835 401f13 85525->85835 85986 40729b 97 API calls 85526->85986 85527 40f3cd 85530 401f09 11 API calls 85527->85530 85533 40f3d7 85530->85533 85535 401f09 11 API calls 85533->85535 85537 40f3e0 85535->85537 85536 401e65 22 API calls 85538 40ecfc 85536->85538 86015 40dd7d 27 API calls 85537->86015 85542 401e65 22 API calls 85538->85542 85540 40f3e5 86016 414f65 169 API calls 85540->86016 85544 40ed16 85542->85544 85545 401e65 22 API calls 85544->85545 85546 40ed30 85545->85546 85547 401e65 22 API calls 85546->85547 85548 40ed49 85547->85548 85549 40edb6 85548->85549 85550 401e65 22 API calls 85548->85550 85551 40edc5 85549->85551 85555 40ef41 ___scrt_fastfail 85549->85555 85554 40ed5e _wcslen 85550->85554 85552 401e65 22 API calls 85551->85552 85558 40ee4a 85551->85558 85553 40edd7 85552->85553 85556 401e65 22 API calls 85553->85556 85554->85549 85559 401e65 22 API calls 85554->85559 85990 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 85555->85990 85557 40ede9 85556->85557 85562 401e65 22 API calls 85557->85562 85580 40ee45 ___scrt_fastfail 85558->85580 85560 40ed79 85559->85560 85564 401e65 22 API calls 85560->85564 85563 40edfb 85562->85563 85567 401e65 22 API calls 85563->85567 85565 40ed8e 85564->85565 85847 40da6f 85565->85847 85566 40ef8c 85568 401e65 22 API calls 85566->85568 85570 40ee24 85567->85570 85571 40efb1 85568->85571 85575 401e65 22 API calls 85570->85575 85991 402093 85571->85991 85573 401f13 28 API calls 85574 40edad 85573->85574 85578 401f09 11 API calls 85574->85578 85579 40ee35 85575->85579 85577 40efc3 85997 4137aa 14 API calls 85577->85997 85578->85549 85905 40ce34 85579->85905 85580->85558 85988 413982 31 API calls 85580->85988 85584 40efd9 85586 401e65 22 API calls 85584->85586 85585 40eede ctype 85588 401e65 22 API calls 85585->85588 85587 40efe5 85586->85587 85998 43bb2c 39 API calls _swprintf 85587->85998 85591 40eef5 85588->85591 85590 40eff2 85592 40f01f 85590->85592 85999 41ce2c 87 API calls ___scrt_fastfail 85590->85999 85591->85566 85593 401e65 22 API calls 85591->85593 85596 402093 28 API calls 85592->85596 85594 40ef12 85593->85594 85597 41bcef 28 API calls 85594->85597 85599 40f034 85596->85599 85600 40ef1e 85597->85600 85598 40f003 CreateThread 85598->85592 86277 41d4ee 10 API calls 85598->86277 85601 402093 28 API calls 85599->85601 85989 40f4af 106 API calls 85600->85989 85603 40f043 85601->85603 86000 41b580 79 API calls 85603->86000 85604 40ef23 85604->85566 85606 40ef2a 85604->85606 85606->85492 85607 40f048 85608 401e65 22 API calls 85607->85608 85609 40f054 85608->85609 85610 401e65 22 API calls 85609->85610 85611 40f066 85610->85611 85612 401e65 22 API calls 85611->85612 85613 40f086 85612->85613 86001 43bb2c 39 API calls _swprintf 85613->86001 85615 40f093 85616 401e65 22 API calls 85615->85616 85617 40f09e 85616->85617 85618 401e65 22 API calls 85617->85618 85619 40f0af 85618->85619 85620 401e65 22 API calls 85619->85620 85621 40f0c4 85620->85621 85622 401e65 22 API calls 85621->85622 85623 40f0d5 85622->85623 85624 40f0dc StrToIntA 85623->85624 86002 409e1f 171 API calls _wcslen 85624->86002 85626 40f0ee 85627 401e65 22 API calls 85626->85627 85628 40f0f7 85627->85628 85629 40f13c 85628->85629 86003 43455e 22 API calls 3 library calls 85628->86003 85631 401e65 22 API calls 85629->85631 85637 40f14c 85631->85637 85632 40f10c 85633 401e65 22 API calls 85632->85633 85634 40f11f 85633->85634 85635 40f126 CreateThread 85634->85635 85635->85629 86271 41a045 109 API calls __EH_prolog 85635->86271 85636 40f194 85638 401e65 22 API calls 85636->85638 85637->85636 86004 43455e 22 API calls 3 library calls 85637->86004 85644 40f19d 85638->85644 85640 40f161 85641 401e65 22 API calls 85640->85641 85642 40f173 85641->85642 85645 40f17a CreateThread 85642->85645 85643 40f207 85646 401e65 22 API calls 85643->85646 85644->85643 85647 401e65 22 API calls 85644->85647 85645->85636 86276 41a045 109 API calls __EH_prolog 85645->86276 85650 40f210 85646->85650 85648 40f1b9 85647->85648 85651 401e65 22 API calls 85648->85651 85649 40f255 86008 41b69e 80 API calls 85649->86008 85650->85649 85653 401e65 22 API calls 85650->85653 85656 40f1ce 85651->85656 85655 40f225 85653->85655 85654 40f25e 85657 401f13 28 API calls 85654->85657 85662 401e65 22 API calls 85655->85662 86005 40da23 32 API calls 85656->86005 85658 40f269 85657->85658 85661 401f09 11 API calls 85658->85661 85660 40f1e1 85664 401f13 28 API calls 85660->85664 85665 40f272 CreateThread 85661->85665 85663 40f23a 85662->85663 86006 43bb2c 39 API calls _swprintf 85663->86006 85666 40f1ed 85664->85666 85668 40f293 CreateThread 85665->85668 85669 40f29f 85665->85669 86272 40f7e2 120 API calls 85665->86272 85670 401f09 11 API calls 85666->85670 85668->85669 86273 412132 138 API calls 85668->86273 85671 40f2b4 85669->85671 85672 40f2a8 CreateThread 85669->85672 85674 40f1f6 CreateThread 85670->85674 85676 40f307 85671->85676 85678 402093 28 API calls 85671->85678 85672->85671 86274 412716 38 API calls ___scrt_fastfail 85672->86274 85674->85643 86275 401be9 49 API calls 85674->86275 85675 40f247 86007 40c19d 7 API calls 85675->86007 86010 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 85676->86010 85679 40f2d7 85678->85679 86009 4052fd 28 API calls 85679->86009 85682 40f31f 85682->85537 85685 41bcef 28 API calls 85682->85685 85687 40f338 85685->85687 86011 413656 31 API calls 85687->86011 85692 40f34e 85693 401f09 11 API calls 85692->85693 85696 40f359 85693->85696 85694 40f381 DeleteFileW 85695 40f388 85694->85695 85694->85696 85695->85516 85696->85694 85696->85695 85697 40f36f Sleep 85696->85697 85697->85696 85698->85386 85699->85390 85700->85395 85701->85393 85702->85403 85703->85404 85704->85406 85705->85409 85706->85413 85707->85415 85708->85417 85709->85420 85711 434bb8 GetStartupInfoW 85710->85711 85711->85424 85713 44f0eb 85712->85713 85714 44f0e2 85712->85714 85713->85427 85717 44efd8 48 API calls 4 library calls 85714->85717 85716->85427 85717->85713 85719 41cc20 LoadLibraryA GetProcAddress 85718->85719 85720 41cc10 GetModuleHandleA GetProcAddress 85718->85720 85721 41cc49 44 API calls 85719->85721 85722 41cc39 LoadLibraryA GetProcAddress 85719->85722 85720->85719 85721->85432 85722->85721 86017 41b539 FindResourceA 85723->86017 85727 40f428 _Yarn 86027 4020b7 85727->86027 85730 401fe2 28 API calls 85731 40f44e 85730->85731 85732 401fd8 11 API calls 85731->85732 85733 40f457 85732->85733 85734 43bda0 _Yarn 21 API calls 85733->85734 85735 40f468 _Yarn 85734->85735 86033 406e13 85735->86033 85737 40f49b 85737->85434 85739 40210c 85738->85739 85740 4023ce 11 API calls 85739->85740 85741 402126 85740->85741 85742 402569 28 API calls 85741->85742 85743 402134 85742->85743 85743->85437 86070 4020df 85744->86070 85746 41bebf 85749 41bf31 85746->85749 85757 401fe2 28 API calls 85746->85757 85761 401fd8 11 API calls 85746->85761 85765 41bf2f 85746->85765 86074 4041a2 28 API calls 85746->86074 86075 41cec5 28 API calls 85746->86075 85747 401fd8 11 API calls 85748 41bf61 85747->85748 85750 401fd8 11 API calls 85748->85750 86076 4041a2 28 API calls 85749->86076 85753 41bf69 85750->85753 85755 401fd8 11 API calls 85753->85755 85754 41bf3d 85756 401fe2 28 API calls 85754->85756 85758 40ea5f 85755->85758 85759 41bf46 85756->85759 85757->85746 85766 40fb52 85758->85766 85760 401fd8 11 API calls 85759->85760 85762 41bf4e 85760->85762 85761->85746 86077 41cec5 28 API calls 85762->86077 85765->85747 85767 40fb5e 85766->85767 85769 40fb65 85766->85769 86078 402163 11 API calls 85767->86078 85769->85442 85771 402163 85770->85771 85775 40219f 85771->85775 86079 402730 11 API calls 85771->86079 85773 402184 86080 402712 11 API calls std::_Deallocate 85773->86080 85775->85444 85777 401e6d 85776->85777 85778 401e75 85777->85778 86081 402158 22 API calls 85777->86081 85778->85450 85782 4020df 11 API calls 85781->85782 85783 40532a 85782->85783 86082 4032a0 85783->86082 85785 405346 85785->85457 86087 4051ef 85786->86087 85788 406391 86091 402055 85788->86091 85791 401fe2 85792 401ff1 85791->85792 85793 402039 85791->85793 85794 4023ce 11 API calls 85792->85794 85800 401fd8 85793->85800 85795 401ffa 85794->85795 85796 40203c 85795->85796 85797 402015 85795->85797 85798 40267a 11 API calls 85796->85798 86106 403098 28 API calls 85797->86106 85798->85793 85801 4023ce 11 API calls 85800->85801 85802 401fe1 85801->85802 85802->85469 85804 401fd2 85803->85804 85805 401fc9 85803->85805 85804->85475 86107 4025e0 28 API calls 85805->86107 86108 401fab 85807->86108 85809 40d0ae CreateMutexA GetLastError 85809->85491 86109 41c048 85810->86109 85815 401fe2 28 API calls 85816 41b390 85815->85816 85817 401fd8 11 API calls 85816->85817 85818 41b398 85817->85818 85819 41b3ee 85818->85819 85820 4135e1 31 API calls 85818->85820 85819->85498 85821 41b3c1 85820->85821 85822 41b3cc StrToIntA 85821->85822 85823 41b3e3 85822->85823 85824 41b3da 85822->85824 85826 401fd8 11 API calls 85823->85826 86118 41cffa 22 API calls 85824->86118 85826->85819 85828 407765 85827->85828 85829 413584 3 API calls 85828->85829 85830 40776c 85829->85830 85830->85508 85830->85509 85832 41bd03 85831->85832 86119 40b93f 85832->86119 85834 41bd0b 85834->85525 85836 401f22 85835->85836 85843 401f6a 85835->85843 85837 402252 11 API calls 85836->85837 85838 401f2b 85837->85838 85839 401f6d 85838->85839 85841 401f46 85838->85841 86152 402336 85839->86152 86151 40305c 28 API calls 85841->86151 85844 401f09 85843->85844 85845 402252 11 API calls 85844->85845 85846 401f12 85845->85846 85846->85536 86156 401f86 85847->86156 85850 40dae0 85855 41c048 2 API calls 85850->85855 85851 40daab 86166 41b645 29 API calls 85851->86166 85852 40daa1 85854 40dbd4 GetLongPathNameW 85852->85854 86160 40417e 85854->86160 85858 40dae5 85855->85858 85856 40dab4 85859 401f13 28 API calls 85856->85859 85861 40dae9 85858->85861 85862 40db3b 85858->85862 85864 40dabe 85859->85864 85863 40417e 28 API calls 85861->85863 85866 40417e 28 API calls 85862->85866 85867 40daf7 85863->85867 85870 401f09 11 API calls 85864->85870 85865 40417e 28 API calls 85869 40dbf8 85865->85869 85868 40db49 85866->85868 85875 40417e 28 API calls 85867->85875 85874 40417e 28 API calls 85868->85874 86169 40de0c 28 API calls 85869->86169 85870->85852 85872 40dc0b 86170 402fa5 28 API calls 85872->86170 85878 40db5f 85874->85878 85877 40db0d 85875->85877 85876 40dc16 86171 402fa5 28 API calls 85876->86171 86167 402fa5 28 API calls 85877->86167 86168 402fa5 28 API calls 85878->86168 85882 40dc20 85885 401f09 11 API calls 85882->85885 85883 40db18 85887 401f13 28 API calls 85883->85887 85884 40db6a 85886 401f13 28 API calls 85884->85886 85888 40dc2a 85885->85888 85890 40db75 85886->85890 85889 40db23 85887->85889 85891 401f09 11 API calls 85888->85891 85893 401f09 11 API calls 85889->85893 85892 401f09 11 API calls 85890->85892 85894 40dc33 85891->85894 85896 40db7e 85892->85896 85895 40db2c 85893->85895 85897 401f09 11 API calls 85894->85897 85899 401f09 11 API calls 85895->85899 85898 401f09 11 API calls 85896->85898 85900 40dc3c 85897->85900 85898->85864 85899->85864 85901 401f09 11 API calls 85900->85901 85902 40dc45 85901->85902 85903 401f09 11 API calls 85902->85903 85904 40dc4e 85903->85904 85904->85573 85906 40ce47 _wcslen 85905->85906 85907 40ce51 85906->85907 85908 40ce9b 85906->85908 85910 40ce5a CreateDirectoryW 85907->85910 85909 40da6f 32 API calls 85908->85909 85911 40cead 85909->85911 86173 409196 85910->86173 85912 401f13 28 API calls 85911->85912 85914 40ce99 85912->85914 85916 401f09 11 API calls 85914->85916 85915 40ce76 86207 403014 85915->86207 85921 40cec4 85916->85921 85919 401f13 28 API calls 85920 40ce90 85919->85920 85922 401f09 11 API calls 85920->85922 85923 40cefa 85921->85923 85924 40cedd 85921->85924 85922->85914 85925 40cf03 CopyFileW 85923->85925 85927 40cd48 31 API calls 85924->85927 85926 40cfd4 85925->85926 85928 40cf15 _wcslen 85925->85928 86180 40cd48 85926->86180 85957 40ceee 85927->85957 85928->85926 85930 40cf31 85928->85930 85931 40cf84 85928->85931 85934 40da6f 32 API calls 85930->85934 85933 40da6f 32 API calls 85931->85933 85938 40cf8a 85933->85938 85939 40cf37 85934->85939 85935 40d01a 85937 40d062 CloseHandle 85935->85937 85940 40417e 28 API calls 85935->85940 85936 40cfee 85943 40cff7 SetFileAttributesW 85936->85943 86206 401f04 85937->86206 85941 401f13 28 API calls 85938->85941 85942 401f13 28 API calls 85939->85942 85945 40d030 85940->85945 85946 40cf7e 85941->85946 85947 40cf43 85942->85947 85960 40d006 _wcslen 85943->85960 85949 41bcef 28 API calls 85945->85949 85954 401f09 11 API calls 85946->85954 85950 401f09 11 API calls 85947->85950 85948 40d07e ShellExecuteW 85951 40d091 85948->85951 85952 40d09b ExitProcess 85948->85952 85953 40d043 85949->85953 85955 40cf4c 85950->85955 85956 40d0a4 CreateMutexA GetLastError 85951->85956 86213 41384f RegCreateKeyW 85953->86213 85958 40cf9c 85954->85958 85959 409196 28 API calls 85955->85959 85956->85957 85957->85580 85964 40cfa8 CreateDirectoryW 85958->85964 85961 40cf60 85959->85961 85960->85935 85962 40d017 SetFileAttributesW 85960->85962 85965 403014 28 API calls 85961->85965 85962->85935 86212 401f04 85964->86212 85968 40cf6c 85965->85968 85969 401f13 28 API calls 85968->85969 85973 40cf75 85969->85973 85970 401f09 11 API calls 85970->85937 85974 401f09 11 API calls 85973->85974 85974->85946 85975->85449 85976->85458 85977->85462 85979->85483 85981 40ebdf 85980->85981 85982 4135ae RegQueryValueExA RegCloseKey 85980->85982 85981->85480 85981->85497 85982->85981 85983->85487 85984->85515 85985->85508 85986->85501 85987->85514 85988->85585 85989->85604 85990->85566 85992 40209b 85991->85992 85993 4023ce 11 API calls 85992->85993 85994 4020a6 85993->85994 86266 4024ed 85994->86266 85997->85584 85998->85590 85999->85598 86000->85607 86001->85615 86002->85626 86003->85632 86004->85640 86005->85660 86006->85675 86007->85649 86008->85654 86010->85682 86011->85692 86012->85507 86014->85527 86015->85540 86270 41ada8 105 API calls 86016->86270 86018 41b556 LoadResource LockResource SizeofResource 86017->86018 86019 40f419 86017->86019 86018->86019 86020 43bda0 86019->86020 86025 4461b8 ___crtLCMapStringA 86020->86025 86021 4461f6 86037 44062d 20 API calls _abort 86021->86037 86022 4461e1 RtlAllocateHeap 86024 4461f4 86022->86024 86022->86025 86024->85727 86025->86021 86025->86022 86036 443001 7 API calls 2 library calls 86025->86036 86028 4020bf 86027->86028 86038 4023ce 86028->86038 86030 4020ca 86042 40250a 86030->86042 86032 4020d9 86032->85730 86034 4020b7 28 API calls 86033->86034 86035 406e27 86034->86035 86035->85737 86036->86025 86037->86024 86039 402428 86038->86039 86040 4023d8 86038->86040 86039->86030 86040->86039 86049 4027a7 11 API calls std::_Deallocate 86040->86049 86043 40251a 86042->86043 86044 402520 86043->86044 86045 402535 86043->86045 86050 402569 86044->86050 86060 4028e8 28 API calls 86045->86060 86048 402533 86048->86032 86049->86039 86061 402888 86050->86061 86052 40257d 86053 402592 86052->86053 86054 4025a7 86052->86054 86066 402a34 22 API calls 86053->86066 86068 4028e8 28 API calls 86054->86068 86057 40259b 86067 4029da 22 API calls 86057->86067 86059 4025a5 86059->86048 86060->86048 86063 402890 86061->86063 86062 402898 86062->86052 86063->86062 86069 402ca3 22 API calls 86063->86069 86066->86057 86067->86059 86068->86059 86071 4020e7 86070->86071 86072 4023ce 11 API calls 86071->86072 86073 4020f2 86072->86073 86073->85746 86074->85746 86075->85746 86076->85754 86077->85765 86078->85769 86079->85773 86080->85775 86084 4032aa 86082->86084 86083 4032c9 86083->85785 86084->86083 86086 4028e8 28 API calls 86084->86086 86086->86083 86088 4051fb 86087->86088 86097 405274 86088->86097 86090 405208 86090->85788 86092 402061 86091->86092 86093 4023ce 11 API calls 86092->86093 86094 40207b 86093->86094 86102 40267a 86094->86102 86098 405282 86097->86098 86101 4028a4 22 API calls 86098->86101 86103 40268b 86102->86103 86104 4023ce 11 API calls 86103->86104 86105 40208d 86104->86105 86105->85791 86106->85793 86107->85804 86110 41c055 GetCurrentProcess IsWow64Process 86109->86110 86111 41b362 86109->86111 86110->86111 86112 41c06c 86110->86112 86113 4135e1 RegOpenKeyExA 86111->86113 86112->86111 86114 41360f RegQueryValueExA RegCloseKey 86113->86114 86115 413639 86113->86115 86114->86115 86116 402093 28 API calls 86115->86116 86117 41364e 86116->86117 86117->85815 86118->85823 86120 40b947 86119->86120 86125 402252 86120->86125 86122 40b952 86129 40b967 86122->86129 86124 40b961 86124->85834 86126 4022ac 86125->86126 86127 40225c 86125->86127 86126->86122 86127->86126 86136 402779 11 API calls std::_Deallocate 86127->86136 86130 40b9a1 86129->86130 86131 40b973 86129->86131 86148 4028a4 22 API calls 86130->86148 86137 4027e6 86131->86137 86135 40b97d 86135->86124 86136->86126 86138 4027ef 86137->86138 86139 402851 86138->86139 86140 4027f9 86138->86140 86150 4028a4 22 API calls 86139->86150 86143 402802 86140->86143 86144 402815 86140->86144 86149 402aea 28 API calls __EH_prolog 86143->86149 86146 402813 86144->86146 86147 402252 11 API calls 86144->86147 86146->86135 86147->86146 86149->86146 86151->85843 86153 402347 86152->86153 86154 402252 11 API calls 86153->86154 86155 4023c7 86154->86155 86155->85843 86157 401f8e 86156->86157 86158 402252 11 API calls 86157->86158 86159 401f99 86158->86159 86159->85850 86159->85851 86159->85852 86161 404186 86160->86161 86162 402252 11 API calls 86161->86162 86163 404191 86162->86163 86172 4041bc 28 API calls 86163->86172 86165 40419c 86165->85865 86166->85856 86167->85883 86168->85884 86169->85872 86170->85876 86171->85882 86172->86165 86174 401f86 11 API calls 86173->86174 86175 4091a2 86174->86175 86219 40314c 86175->86219 86177 4091bf 86223 40325d 86177->86223 86179 4091c7 86179->85915 86181 40cdaa 86180->86181 86182 40cd6e 86180->86182 86183 40cdeb 86181->86183 86185 40b9b7 28 API calls 86181->86185 86237 40b9b7 86182->86237 86186 40ce2c 86183->86186 86189 40b9b7 28 API calls 86183->86189 86188 40cdc1 86185->86188 86186->85935 86186->85936 86191 403014 28 API calls 86188->86191 86192 40ce02 86189->86192 86190 403014 28 API calls 86193 40cd8a 86190->86193 86194 40cdcb 86191->86194 86195 403014 28 API calls 86192->86195 86196 41384f 14 API calls 86193->86196 86197 41384f 14 API calls 86194->86197 86198 40ce0c 86195->86198 86199 40cd9e 86196->86199 86200 40cddf 86197->86200 86201 41384f 14 API calls 86198->86201 86202 401f09 11 API calls 86199->86202 86204 401f09 11 API calls 86200->86204 86203 40ce20 86201->86203 86202->86181 86205 401f09 11 API calls 86203->86205 86204->86183 86205->86186 86244 403222 86207->86244 86209 403022 86248 403262 86209->86248 86214 4138a1 86213->86214 86215 413864 86213->86215 86216 401f09 11 API calls 86214->86216 86218 41387d RegSetValueExW RegCloseKey 86215->86218 86217 40d056 86216->86217 86217->85970 86218->86214 86220 403156 86219->86220 86221 4027e6 28 API calls 86220->86221 86222 403175 86220->86222 86221->86222 86222->86177 86224 40323f 86223->86224 86227 4036a6 86224->86227 86226 40324c 86226->86179 86228 402888 22 API calls 86227->86228 86229 4036b9 86228->86229 86230 40372c 86229->86230 86232 4036de 86229->86232 86236 4028a4 22 API calls 86230->86236 86234 4027e6 28 API calls 86232->86234 86235 4036f0 86232->86235 86234->86235 86235->86226 86238 401f86 11 API calls 86237->86238 86239 40b9c3 86238->86239 86240 40314c 28 API calls 86239->86240 86241 40b9df 86240->86241 86242 40325d 28 API calls 86241->86242 86243 40b9f2 86242->86243 86243->86190 86245 40322e 86244->86245 86254 403618 86245->86254 86247 40323b 86247->86209 86249 40326e 86248->86249 86250 402252 11 API calls 86249->86250 86251 403288 86250->86251 86252 402336 11 API calls 86251->86252 86253 403031 86252->86253 86253->85919 86255 403626 86254->86255 86256 403644 86255->86256 86257 40362c 86255->86257 86258 40365c 86256->86258 86259 40369e 86256->86259 86260 4036a6 28 API calls 86257->86260 86263 4027e6 28 API calls 86258->86263 86264 403642 86258->86264 86265 4028a4 22 API calls 86259->86265 86260->86264 86263->86264 86264->86247 86267 4024f9 86266->86267 86268 40250a 28 API calls 86267->86268 86269 4020b1 86268->86269 86269->85577 86278 412829 61 API calls 86273->86278 86279 43bea8 86282 43beb4 _swprintf ___FrameUnwindToState 86279->86282 86280 43bec2 86295 44062d 20 API calls _abort 86280->86295 86282->86280 86284 43beec 86282->86284 86283 43bec7 pre_c_initialization ___FrameUnwindToState 86290 445909 RtlEnterCriticalSection 86284->86290 86286 43bef7 86291 43bf98 86286->86291 86290->86286 86293 43bfa6 86291->86293 86292 43bf02 86296 43bf1f RtlLeaveCriticalSection std::_Lockit::~_Lockit 86292->86296 86293->86292 86293->86293 86297 4497ec 36 API calls 2 library calls 86293->86297 86295->86283 86296->86283 86297->86293 86298 482003c 86299 4820049 86298->86299 86313 4820e0f SetErrorMode SetErrorMode 86299->86313 86304 4820265 86305 48202ce VirtualProtect 86304->86305 86307 482030b 86305->86307 86306 4820439 VirtualFree 86311 48205f4 LoadLibraryA 86306->86311 86312 48204be 86306->86312 86307->86306 86308 48204e3 LoadLibraryA 86308->86312 86310 48208c7 86311->86310 86312->86308 86312->86311 86314 4820223 86313->86314 86315 4820d90 86314->86315 86316 4820dad 86315->86316 86317 4820dbb GetPEB 86316->86317 86318 4820238 VirtualAlloc 86316->86318 86317->86318 86318->86304 86319 2d0760e 86320 2d0761d 86319->86320 86323 2d07dae 86320->86323 86324 2d07dc9 86323->86324 86325 2d07dd2 CreateToolhelp32Snapshot 86324->86325 86326 2d07dee Module32First 86324->86326 86325->86324 86325->86326 86327 2d07dfd 86326->86327 86329 2d07626 86326->86329 86330 2d07a6d 86327->86330 86331 2d07a98 86330->86331 86332 2d07ae1 86331->86332 86333 2d07aa9 VirtualAlloc 86331->86333 86332->86332 86333->86332

                                                Executed Functions

                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                • API String ID: 4236061018-3687161714
                                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 89 40ec47-40ec49 80->89 90 40ec4e-40ec55 80->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 145 40eca4-40ecaa 142->145 145->108 146 40ecac call 40729b 145->146 146->108 177->178 204 40ed70-40ed9c call 401e65 call 401fab call 401e65 call 401fab call 40da6f 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee40 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 271 40ee45-40ee48 184->271 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 246 40eda1-40edb6 call 401f13 call 401f09 204->246 218 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 212->218 213->218 218->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 218->286 287 40f017-40f019 236->287 288 40effc 236->288 246->178 271->191 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 402 40f27b 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                APIs
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\E84Ddy7gSh.exe,00000104), ref: 0040EA29
                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\E84Ddy7gSh.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-D7NPY6$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                • API String ID: 2830904901-704991686
                                                • Opcode ID: ba9bb1a6ecb886ac67152e7734389441a58ec43c3ef3c02899b2bf8b8f602431
                                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                • Opcode Fuzzy Hash: ba9bb1a6ecb886ac67152e7734389441a58ec43c3ef3c02899b2bf8b8f602431
                                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                Function 00402888 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae1a628f13adae4f54a8a3a0eb171c0ce914c46fd7e9435622e3bbf1e7511047
                                                • Instruction ID: 76f748d2ba06aa2109bc40ccbacee461fb42dba5b7634e66e45ce41d3c5ed1bf
                                                • Opcode Fuzzy Hash: ae1a628f13adae4f54a8a3a0eb171c0ce914c46fd7e9435622e3bbf1e7511047
                                                • Instruction Fuzzy Hash: 9BC08C7220412057C514F224924984E23961B4130470048BFF000AB1D0CABD9C81829E
                                                Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • _wcslen.LIBCMT ref: 0040CE42
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\E84Ddy7gSh.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                • _wcslen.LIBCMT ref: 0040CF21
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\E84Ddy7gSh.exe,00000000,00000000), ref: 0040CFBF
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                • _wcslen.LIBCMT ref: 0040D001
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                • String ID: 6$C:\Users\user\Desktop\E84Ddy7gSh.exe$del$open
                                                • API String ID: 1579085052-37996064
                                                • Opcode ID: 2f0e7e2034c4697a1c2da303292dfd8a2fb9997200743c884784e1127a904df3
                                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                • Opcode Fuzzy Hash: 2f0e7e2034c4697a1c2da303292dfd8a2fb9997200743c884784e1127a904df3
                                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LongNamePath
                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                • API String ID: 82841172-425784914
                                                • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                Function 0482003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 629 482003c-4820047 630 4820049 629->630 631 482004c-4820263 call 4820a3f call 4820e0f call 4820d90 VirtualAlloc 629->631 630->631 646 4820265-4820289 call 4820a69 631->646 647 482028b-4820292 631->647 652 48202ce-48203c2 VirtualProtect call 4820cce call 4820ce7 646->652 649 48202a1-48202b0 647->649 651 48202b2-48202cc 649->651 649->652 651->649 658 48203d1-48203e0 652->658 659 48203e2-4820437 call 4820ce7 658->659 660 4820439-48204b8 VirtualFree 658->660 659->658 662 48205f4-48205fe 660->662 663 48204be-48204cd 660->663 666 4820604-482060d 662->666 667 482077f-4820789 662->667 665 48204d3-48204dd 663->665 665->662 671 48204e3-4820505 LoadLibraryA 665->671 666->667 672 4820613-4820637 666->672 669 48207a6-48207b0 667->669 670 482078b-48207a3 667->670 674 48207b6-48207cb 669->674 675 482086e-48208be LoadLibraryA 669->675 670->669 676 4820517-4820520 671->676 677 4820507-4820515 671->677 673 482063e-4820648 672->673 673->667 679 482064e-482065a 673->679 680 48207d2-48207d5 674->680 685 48208c7-48208f9 675->685 678 4820526-4820547 676->678 677->678 683 482054d-4820550 678->683 679->667 684 4820660-482066a 679->684 681 48207d7-48207e0 680->681 682 4820824-4820833 680->682 686 48207e2 681->686 687 48207e4-4820822 681->687 691 4820839-482083c 682->691 688 48205e0-48205ef 683->688 689 4820556-482056b 683->689 690 482067a-4820689 684->690 692 4820902-482091d 685->692 693 48208fb-4820901 685->693 686->682 687->680 688->665 694 482056f-482057a 689->694 695 482056d 689->695 696 4820750-482077a 690->696 697 482068f-48206b2 690->697 691->675 698 482083e-4820847 691->698 693->692 699 482059b-48205bb 694->699 700 482057c-4820599 694->700 695->688 696->673 701 48206b4-48206ed 697->701 702 48206ef-48206fc 697->702 703 482084b-482086c 698->703 704 4820849 698->704 712 48205bd-48205db 699->712 700->712 701->702 706 482074b 702->706 707 48206fe-4820748 702->707 703->691 704->675 706->690 707->706 712->683
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0482024D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID: cess$kernel32.dll
                                                • API String ID: 4275171209-1230238691
                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                • Instruction ID: ae520b6acdc796ed282428cabec774cde4f4bd6a622a884b2d9b5b383059f3a5
                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                • Instruction Fuzzy Hash: FB527974A01229DFDB64CF58C984BACBBB1BF09304F1485D9E90DAB351DB30AA84DF15
                                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                  • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                • API String ID: 782494840-2070987746
                                                • Opcode ID: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                • Opcode Fuzzy Hash: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 740 41384f-413862 RegCreateKeyW 741 4138a1 740->741 742 413864-41389f call 40247c call 401f04 RegSetValueExW RegCloseKey 740->742 743 4138a3-4138b1 call 401f09 741->743 742->743
                                                APIs
                                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 00413888
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 1818849710-1051519024
                                                • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 750 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorLastMutex
                                                • String ID: Rmc-D7NPY6
                                                • API String ID: 1925916568-926284066
                                                • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 753 4135e1-41360d RegOpenKeyExA 754 413642 753->754 755 41360f-413637 RegQueryValueExA RegCloseKey 753->755 756 413644 754->756 755->756 757 413639-413640 755->757 758 413649-413655 call 402093 756->758 757->758
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                • RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 761 413584-4135ac RegOpenKeyExA 762 4135db 761->762 763 4135ae-4135d9 RegQueryValueExA RegCloseKey 761->763 764 4135dd-4135e0 762->764 763->764
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                Function 02D07DAE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 765 2d07dae-2d07dc7 766 2d07dc9-2d07dcb 765->766 767 2d07dd2-2d07dde CreateToolhelp32Snapshot 766->767 768 2d07dcd 766->768 769 2d07de0-2d07de6 767->769 770 2d07dee-2d07dfb Module32First 767->770 768->767 769->770 776 2d07de8-2d07dec 769->776 771 2d07e04-2d07e0c 770->771 772 2d07dfd-2d07dfe call 2d07a6d 770->772 777 2d07e03 772->777 776->766 776->770 777->771
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D07DD6
                                                • Module32First.KERNEL32(00000000,00000224), ref: 02D07DF6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314536540.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D07000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d07000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 3833638111-0
                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction ID: 892613f53302a678a9906aa5ea52c98c69dd818e8e1290de7bc0ea20dd86f278
                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction Fuzzy Hash: A7F0C235200311ABF7203AB598CCBBEB2E8AF49724F100128E642D92D0CB70FC458A60
                                                Function 04820E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 778 4820e0f-4820e24 SetErrorMode * 2 779 4820e26 778->779 780 4820e2b-4820e2c 778->780 779->780
                                                APIs
                                                • SetErrorMode.KERNEL32(00000400,?,?,04820223,?,?), ref: 04820E19
                                                • SetErrorMode.KERNEL32(00000000,?,?,04820223,?,?), ref: 04820E1E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                • Instruction ID: c305c479093041c3bdcac86e1ef893677768c67fdbd7ad2a11b9be042c951924
                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                • Instruction Fuzzy Hash: BFD0123554512877D7402A94DC09BCD7B1CDF05B62F008411FB0DD9080C770958046E5
                                                Function 02D07A6D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 809 2d07a6d-2d07aa7 call 2d07d80 812 2d07af5 809->812 813 2d07aa9-2d07adc VirtualAlloc call 2d07afa 809->813 812->812 815 2d07ae1-2d07af3 813->815 815->812
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02D07ABE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314536540.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D07000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d07000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction ID: 00440d12fece6a03fde811781c3f72ceb8bc83db9d2ec4d6bb108579a5c7cef8
                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction Fuzzy Hash: 4D112B79A00208EFDB01DF99C985E98BBF5EF08350F058094F9489B3A1D771EA50DF90

                                                Non-executed Functions

                                                Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                • API String ID: 1067849700-181434739
                                                • Opcode ID: 2d13e027d7d5250f2079b09e426665e5b64f596e7788c4e00595e4e8e35796ad
                                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                • Opcode Fuzzy Hash: 2d13e027d7d5250f2079b09e426665e5b64f596e7788c4e00595e4e8e35796ad
                                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                • API String ID: 2994406822-18413064
                                                • Opcode ID: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                • Opcode Fuzzy Hash: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                  • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                • API String ID: 3018269243-13974260
                                                • Opcode ID: be382ae3246a84b07804265bcb915cb84d61a731cde31d212bac553ac141f8d6
                                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                • Opcode Fuzzy Hash: be382ae3246a84b07804265bcb915cb84d61a731cde31d212bac553ac141f8d6
                                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                • API String ID: 1164774033-3681987949
                                                • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 004168FD
                                                • EmptyClipboard.USER32 ref: 0041690B
                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                • CloseClipboard.USER32 ref: 00416990
                                                • OpenClipboard.USER32 ref: 00416997
                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                • CloseClipboard.USER32 ref: 004169BF
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                • String ID: !D@
                                                • API String ID: 3520204547-604454484
                                                • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windownativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041D66B
                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                • Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                • String ID: Close
                                                • API String ID: 1665278180-3535843008
                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Close$File$FirstNext
                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 3527384056-432212279
                                                • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                • 734B5D90.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$CreateDirectoryH_prologLocalTime
                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                • API String ID: 3069631530-1431523004
                                                • Opcode ID: ed0dc15d332ee4383210d553d6c4f7a7ac5547de3233ceb75dc48dba0a47a24e
                                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                • Opcode Fuzzy Hash: ed0dc15d332ee4383210d553d6c4f7a7ac5547de3233ceb75dc48dba0a47a24e
                                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                • String ID:
                                                • API String ID: 297527592-0
                                                • Opcode ID: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                • Opcode Fuzzy Hash: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                Function 0483D887 Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0483D8D2
                                                • GetCursorPos.USER32(?), ref: 0483D8E1
                                                • SetForegroundWindow.USER32(?), ref: 0483D8EA
                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0483D904
                                                • Shell_NotifyIcon.SHELL32(00000002,00474B48), ref: 0483D955
                                                • ExitProcess.KERNEL32 ref: 0483D95D
                                                • CreatePopupMenu.USER32 ref: 0483D963
                                                • AppendMenuA.USER32(00000000,00000000,00000000,0046CF5C), ref: 0483D978
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                • String ID:
                                                • API String ID: 1665278180-0
                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                • Instruction ID: 554c1aebe4e5dd21d8182fbe56bf0671dc50201ff0886e7d72eaf8c894993f08
                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                • Instruction Fuzzy Hash: 4721E971144209FFDB165FA4ED0EAA97FA5EB08306F000A24FA06D50B2D775ED61EB98
                                                Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                • API String ID: 3756808967-1743721670
                                                • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                • API String ID: 0-1861860590
                                                • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 0040755C
                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Object_wcslen
                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                • API String ID: 240030777-3166923314
                                                • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                • String ID:
                                                • API String ID: 3587775597-0
                                                • Opcode ID: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                • Opcode Fuzzy Hash: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                Function 0483AA40 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0483AA56
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0483AAA5
                                                • GetLastError.KERNEL32 ref: 0483AAB3
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0483AAEB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                • String ID:
                                                • API String ID: 3587775597-0
                                                • Opcode ID: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                                                • Instruction ID: 71a03625e8baa459569705911386b2384fde4f10c59d55a11a4d2d81ef0a4e34
                                                • Opcode Fuzzy Hash: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                                                • Instruction Fuzzy Hash: 28814C71104310ABD705EF64D994DAFB7A8BF94708F500E2DF59692190EFB4BA48CBA2
                                                Function 04833574 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 048336B9
                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 048336C7
                                                • GetFileSize.KERNEL32(?,00000000), ref: 048336D4
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 048336F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$View$CreateMappingSizeUnmap
                                                • String ID:
                                                • API String ID: 2708475042-0
                                                • Opcode ID: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                                • Instruction ID: d21b86b87b232ba9725ab282b87e881c82ae563922575f2e38d9009f2155cba3
                                                • Opcode Fuzzy Hash: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                                • Instruction Fuzzy Hash: 3641E971104301BFE710AB25DC49F2B7BACEF8571AF100F29F955D51A1EB70E900DAA6
                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 1164774033-405221262
                                                • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2341273852-0
                                                • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                Function 0483C589 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0483C5E4
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0483C614
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000), ref: 0483C686
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0483C693
                                                  • Part of subcall function 0483C589: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0483C669
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0483C6B4
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0483C6CA
                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0483C6D1
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0483C6DA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2341273852-0
                                                • Opcode ID: 3ce5481c26192bdbfdec80ea01d0d7f8eca5c7462b2347321480bf835a106a91
                                                • Instruction ID: 957a2b7971576941577ff9ad36fc9e1d798cfe94fbbe7f698b0eedf880c1d378
                                                • Opcode Fuzzy Hash: 3ce5481c26192bdbfdec80ea01d0d7f8eca5c7462b2347321480bf835a106a91
                                                • Instruction Fuzzy Hash: BB31487290421CAADB10EB64DC4CEDB77ACAF04216F040AEAE655E3061FF75EAC48E55
                                                Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$CreateFirstNext
                                                • String ID: 8SG$PXG$PXG$NG$PG
                                                • API String ID: 341183262-3812160132
                                                • Opcode ID: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                • Opcode Fuzzy Hash: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                Function 04839DED Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 0483A043
                                                  • Part of subcall function 0483C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C796
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateFindFirst
                                                • String ID: 8SG$8eF$PXG$PXG$NG$PG
                                                • API String ID: 41799849-432830541
                                                • Opcode ID: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                                                • Instruction ID: 6ad0a7de3216e8ca8f8a2ab6ed61038174805a1fde9d763434ea5c7f089ccbe5
                                                • Opcode Fuzzy Hash: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                                                • Instruction Fuzzy Hash: 54814431504250ABE318FB28DA50DEFB3A4AF90204F404F6DB556D71E0EFB1BA89C693
                                                Function 04828AAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 04828AB3
                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04828B6C
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 04828B94
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04828BA1
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04828CB7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                • String ID: xdF$y~E
                                                • API String ID: 1771804793-3309775686
                                                • Opcode ID: fbec0ca1c6534dac2abf004e93539abf94b6fbf8a08b3c57209892525d8be330
                                                • Instruction ID: 0115f9036636b5040df588affd86cd8a61d7810022938a7982a4f0d452a530b7
                                                • Opcode Fuzzy Hash: fbec0ca1c6534dac2abf004e93539abf94b6fbf8a08b3c57209892525d8be330
                                                • Instruction Fuzzy Hash: F2516472900218AADF04FBA8DE55DDD7778AF50304F500B59E906E7090EF74BB89CB92
                                                Function 04836A5B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 96libraryloadershutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 04836AF8
                                                • LoadLibraryA.KERNEL32(0046C780,0046C770,00000000,00000000,00000000), ref: 04836B0D
                                                • GetProcAddress.KERNEL32(00000000), ref: 04836B14
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressExitLibraryLoadProcWindows
                                                • String ID: !D@$$aF$(aF$,aF
                                                • API String ID: 1366546845-3582022958
                                                • Opcode ID: 5755bd4ddfd752d8f33c5864166cf0cae3c27c49654309926f5137c9d8374bbd
                                                • Instruction ID: c4947c9d893d62c49da0a4cce8811a164942628e5e0df054c26c376bf6e3d6e6
                                                • Opcode Fuzzy Hash: 5755bd4ddfd752d8f33c5864166cf0cae3c27c49654309926f5137c9d8374bbd
                                                • Instruction Fuzzy Hash: 3221F560240322A7EB14F7B8DA54AAE3249DB50309F404EB97902E7191FFE5FC85C667
                                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                • GetLastError.KERNEL32 ref: 0040A328
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                • DispatchMessageA.USER32(?), ref: 0040A390
                                                Strings
                                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                • String ID: Keylogger initialization failure: error
                                                • API String ID: 3219506041-952744263
                                                • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                Function 0482BDD2 Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00466A94), ref: 0482BE51
                                                • FindClose.KERNEL32(00000000), ref: 0482BE6B
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0482BF8E
                                                • FindClose.KERNEL32(00000000), ref: 0482BFB4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID:
                                                • API String ID: 1164774033-0
                                                • Opcode ID: 63b5c3d314a4db64527c0e7c5aa918f33f6a2b2645f393baa9aaff12138484f1
                                                • Instruction ID: ba97f247dbcf2b7bf1bf0130f718a9ade7aad70e06e0feaa7d503a9f899dbc46
                                                • Opcode Fuzzy Hash: 63b5c3d314a4db64527c0e7c5aa918f33f6a2b2645f393baa9aaff12138484f1
                                                • Instruction Fuzzy Hash: 1C5153319001299BEB14FBA8DE55DEEB735AF11204F500E99E405E20A5FFB1BAC9CA46
                                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 0040A451
                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                                • GetKeyboardState.USER32(?), ref: 0040A479
                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                • String ID:
                                                • API String ID: 1888522110-0
                                                • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                Function 004541D9 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __floor_pentium4
                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$PkGNG
                                                • API String ID: 4168288129-3873169313
                                                • Opcode ID: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                                • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                • Opcode Fuzzy Hash: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                                • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                • API String ID: 2127411465-314212984
                                                • Opcode ID: 09788986c499ccf61a32fa2fa99dcd6ee3d0b3087326da66d508dcd15781bba8
                                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                • Opcode Fuzzy Hash: 09788986c499ccf61a32fa2fa99dcd6ee3d0b3087326da66d508dcd15781bba8
                                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                • API String ID: 1589313981-2876530381
                                                • Opcode ID: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                • Opcode Fuzzy Hash: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                Strings
                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                • String ID: http://geoplugin.net/json.gp
                                                • API String ID: 3121278467-91888290
                                                • Opcode ID: 57dbabaecf7d387fca1fccaaf918aea223ffbee7dad3a19db74472bdfd73447a
                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                • Opcode Fuzzy Hash: 57dbabaecf7d387fca1fccaaf918aea223ffbee7dad3a19db74472bdfd73447a
                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                Strings
                                                • UserProfile, xrefs: 0040BA59
                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                • API String ID: 2018770650-1062637481
                                                • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                • GetLastError.KERNEL32 ref: 004179D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 3534403312-3733053543
                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00409293
                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                • String ID:
                                                • API String ID: 1824512719-0
                                                • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: FSE$FSE$PkGNG
                                                • API String ID: 0-1266307253
                                                • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                • String ID:
                                                • API String ID: 276877138-0
                                                • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                  • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                  • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                • String ID: 5.1.3 Pro$override$pth_unenc
                                                • API String ID: 2281282204-1392497409
                                                • Opcode ID: 1ed3daa43cea5a2e5783669c753d3b37d94c29cfe39d4015f84ade39b6c46fae
                                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                • Opcode Fuzzy Hash: 1ed3daa43cea5a2e5783669c753d3b37d94c29cfe39d4015f84ade39b6c46fae
                                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                • GetACP.KERNEL32 ref: 00452593
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: ACP$OCP
                                                • API String ID: 2299586839-711371036
                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                Function 04872723 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 048727BC
                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 048727E5
                                                • GetACP.KERNEL32 ref: 048727FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: ACP$OCP
                                                • API String ID: 2299586839-711371036
                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                • Instruction ID: 9bffca5e7b32b07ea18486114e1829cf3ed4c221be92248053fdba046c944d6e
                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                • Instruction Fuzzy Hash: 1D215336B04104A7DB348F58CA21A9B73A6EB44FA5B568FE4E90AD7610F732FD80D350
                                                Function 04827ADE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 04827AF9
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 04827BC1
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstNextsend
                                                • String ID: 8eF$XPG$XPG
                                                • API String ID: 4113138495-4157548504
                                                • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                • Instruction ID: 5df154667adc1942e9275d774f464f9a9e8b03c5c57d220f555d07d37ecf8d7b
                                                • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                • Instruction Fuzzy Hash: 172193311042545BE714FB68DA94DEFB3A8AF81358F400F59B586E2090EFB1BA888653
                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID: SETTINGS
                                                • API String ID: 3473537107-594951305
                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstH_prologNext
                                                • String ID:
                                                • API String ID: 1157919129-0
                                                • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                Function 04829907 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0482990C
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 04829984
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 048299AD
                                                • FindClose.KERNEL32(?), ref: 048299C4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstH_prologNext
                                                • String ID:
                                                • API String ID: 1157919129-0
                                                • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                • Instruction ID: 3f0f5339324eb60709681cdde70cffb21a27bb91bec8fd3088f7feca80a4a084
                                                • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                • Instruction Fuzzy Hash: 97816672900129ABDB15EBA8DE90DED7378AF54314F104BAAD506E70A0EFB07B85CB51
                                                Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                • String ID:
                                                • API String ID: 745075371-0
                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                Function 048728F7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 0486855B
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868568
                                                • GetUserDefaultLCID.KERNEL32 ref: 04872A03
                                                • IsValidCodePage.KERNEL32(00000000), ref: 04872A5E
                                                • IsValidLocale.KERNEL32(?,00000001), ref: 04872A6D
                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 04872AB5
                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 04872AD4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                • String ID:
                                                • API String ID: 745075371-0
                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                • Instruction ID: 02e04e70a447709f348f71811a645a12f2f6134b41bf3547e3b7bcd53a7db6e7
                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                • Instruction Fuzzy Hash: 82519671900215ABEB21EFA8DC50FBEB3B8FF04704F084EA9E955E7151E7B0E9448B61
                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                • String ID:
                                                • API String ID: 1771804793-0
                                                • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                Function 0482C5EF Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00466C74,00000000), ref: 0482C63D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0482C710
                                                • FindClose.KERNEL32(00000000), ref: 0482C71F
                                                • FindClose.KERNEL32(00000000), ref: 0482C74A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID:
                                                • API String ID: 1164774033-0
                                                • Opcode ID: 9128d6fdf9acd23b2076e297f120df01714350ed85117d2d9f94866c01566eb9
                                                • Instruction ID: 421a01c5608496f49cb3b9da9a187cc644248d46f0387b25c7a29fdb2dcd9b56
                                                • Opcode Fuzzy Hash: 9128d6fdf9acd23b2076e297f120df01714350ed85117d2d9f94866c01566eb9
                                                • Instruction Fuzzy Hash: CA319831600229AADB14FBBCDD98DFE7778AF51704F000A6AE505E20D0EFB47AC5CA56
                                                Function 04837BF4 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 04837C01
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 04837C08
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,0046C7D8,?), ref: 04837C1A
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 04837C39
                                                • GetLastError.KERNEL32 ref: 04837C3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                • String ID:
                                                • API String ID: 3534403312-0
                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadExecuteFileShell
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe$open
                                                • API String ID: 2825088817-3551608729
                                                • Opcode ID: 8793840eac8686bf54ece34e1a240b9e84e456303432addf2c13db3a26793cb7
                                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                • Opcode Fuzzy Hash: 8793840eac8686bf54ece34e1a240b9e84e456303432addf2c13db3a26793cb7
                                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstNextsend
                                                • String ID: XPG$XPG
                                                • API String ID: 4113138495-1962359302
                                                • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                  • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                  • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                • API String ID: 4127273184-3576401099
                                                • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                  • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                  • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                • API String ID: 4127273184-3576401099
                                                • Opcode ID: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                • Opcode Fuzzy Hash: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID: PkGNG
                                                • API String ID: 1703294689-263838557
                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                Function 048635BC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,04863592,00000003,0046E958,0000000C,048636E9,00000003,00000002,00000000,PkGNG,0486641E,00000003), ref: 048635DD
                                                • TerminateProcess.KERNEL32(00000000), ref: 048635E4
                                                • ExitProcess.KERNEL32 ref: 048635F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID: PkGNG
                                                • API String ID: 1703294689-263838557
                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                • Instruction ID: 3ba5ce189d3b31a7761604eeb76a3be86885ba357f1956f9fb78af534244c8ff
                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                • Instruction Fuzzy Hash: 9BE0B631001208FFCF516F68DE59A483B6AEB40646F004964FD0ACB162CB76ED52DB44
                                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                • String ID:
                                                • API String ID: 4212172061-0
                                                • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                Function 04871FBF Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                • IsValidCodePage.KERNEL32(00000000), ref: 048720A1
                                                • _wcschr.LIBVCRUNTIME ref: 04872131
                                                • _wcschr.LIBVCRUNTIME ref: 0487213F
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 048721E2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                • String ID:
                                                • API String ID: 4212172061-0
                                                • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                • Instruction ID: 2c3ad023e9123b1782032a7c4a4210d9a1d245082b83b44d93dfb87d2eb89ca5
                                                • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                • Instruction Fuzzy Hash: 4C610732600206AAE725BF78CC55BB673ACFF44354F140EAAEA09D7680EA70F540C775
                                                Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 0044943D
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                • String ID:
                                                • API String ID: 806657224-0
                                                • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                Function 0482FA49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048337EB: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 0483380B
                                                  • Part of subcall function 048337EB: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 04833829
                                                  • Part of subcall function 048337EB: RegCloseKey.ADVAPI32(00000000), ref: 04833834
                                                • Sleep.KERNEL32(00000BB8), ref: 0482FAFD
                                                • ExitProcess.KERNEL32 ref: 0482FB6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                • String ID: pth_unenc
                                                • API String ID: 2281282204-4028850238
                                                • Opcode ID: 81b0c12af02b44c2973477b5c91f8917c9a4cf5a464a254ec34441252f391ab4
                                                • Instruction ID: 193ee9c702ac33af9cdef3f8ebeb09989e23889aff99c5493eb4e861ef15a460
                                                • Opcode Fuzzy Hash: 81b0c12af02b44c2973477b5c91f8917c9a4cf5a464a254ec34441252f391ab4
                                                • Instruction Fuzzy Hash: 7D212B61B0432137E604B6BC4E49E2E79999B80618F504F5CF91AD72C5FED9BE8083E7
                                                Function 0483CCDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0483CDCF
                                                  • Part of subcall function 04833A11: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 04833A20
                                                  • Part of subcall function 04833A11: RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0483CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000), ref: 04833A48
                                                  • Part of subcall function 04833A11: RegCloseKey.ADVAPI32(0046612C,?,?,0483CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000,?,048289FF,00000001), ref: 04833A53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: ,aF$Control Panel\Desktop
                                                • API String ID: 4127273184-2883592193
                                                • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                • Instruction ID: 4859e527735d130779d67767536c05a8b6d853aebfb15f3ba19f017d1734936c
                                                • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                • Instruction Fuzzy Hash: C0115E23BC025022E818313D5D57B7D2C069347F66F914A5AFA427A6C9F8CB7A9113CB
                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                • String ID:
                                                • API String ID: 2829624132-0
                                                • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                Function 0485BDD8 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 0485BED0
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0485BEDA
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0485BEE7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                • Instruction ID: b79ee91a026e5d32612d72a8681b5c4a0e8d8c82fdf93758e106d63b8476b370
                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                • Instruction Fuzzy Hash: 8531C67590121CDBCB21DF68D98879DB7B8BF08311F5046EAE81CA7260E770AF858F45
                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                • String ID:
                                                • API String ID: 1815803762-0
                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                • CloseClipboard.USER32 ref: 0040B760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$CloseDataOpen
                                                • String ID:
                                                • API String ID: 2058664381-0
                                                • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenResume
                                                • String ID:
                                                • API String ID: 3614150671-0
                                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenSuspend
                                                • String ID:
                                                • API String ID: 1999457699-0
                                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                Function 0483BE01 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,048362A1,00000000), ref: 0483BE0C
                                                • NtSuspendProcess.NTDLL(00000000), ref: 0483BE19
                                                • CloseHandle.KERNEL32(00000000,?,?,048362A1,00000000), ref: 0483BE22
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenSuspend
                                                • String ID:
                                                • API String ID: 1999457699-0
                                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                • Instruction ID: 1db01ce3eecd51ebdcac4a432530f391748b94a30a1f2abcdd976713a50edbd2
                                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                • Instruction Fuzzy Hash: 5DD05E37600121E3C32017AA7C0CD67AD68DFC5AA37054529F904C61519A20CC0186E4
                                                Function 0483BE2D Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,048362C6,00000000), ref: 0483BE38
                                                • NtResumeProcess.NTDLL(00000000), ref: 0483BE45
                                                • CloseHandle.KERNEL32(00000000,?,?,048362C6,00000000), ref: 0483BE4E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenResume
                                                • String ID:
                                                • API String ID: 3614150671-0
                                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                • Instruction ID: 1549c357eeeeb89d03210d38a8575ed267db0adf0941113c683b8520d389bdca
                                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                • Instruction Fuzzy Hash: 1CD09E77504221E7C621176A7C0C957AE69DBC5EA3705452AF905D21659A60DC0186E4
                                                Function 0482092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .$GetProcAddress.$l
                                                • API String ID: 0-2784972518
                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                • Instruction ID: 8187e9d5fc2642250b8ef033f37b768ca7b94207ba16212c6361619c847e4065
                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                • Instruction Fuzzy Hash: CF318BB2900229DFEB11CF88C980AADBBF5FF09328F14454AD501E7210D370FA85CBA4
                                                Function 004533AB Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,000000FF,?,00000008,PkGNG,PkGNG,004533A6,000000FF,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID: PkGNG
                                                • API String ID: 3997070919-263838557
                                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID:
                                                • API String ID: 2325560087-3916222277
                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                Function 0483CCD4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0483CDCF
                                                  • Part of subcall function 04833A11: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 04833A20
                                                  • Part of subcall function 04833A11: RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0483CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000), ref: 04833A48
                                                  • Part of subcall function 04833A11: RegCloseKey.ADVAPI32(0046612C,?,?,0483CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000,?,048289FF,00000001), ref: 04833A53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop
                                                • API String ID: 4127273184-27424756
                                                • Opcode ID: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                • Instruction ID: 1fcd19e823e72bc36c564536385b41c6d31a552f07e17d0e6d73d5705a3e6d1a
                                                • Opcode Fuzzy Hash: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                • Instruction Fuzzy Hash: F8F0F633BC022022E529307D5E2BBBD2C00C743F23F154B16F202B56D8E4CA758152CB
                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: GetLocaleInfoEx
                                                • API String ID: 2299586839-2904428671
                                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                Function 048664D7 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10f83df0c90a6610a8b53eb74bb6e058e5cc0ba0fe3e6508f91dd3b8627a5a0d
                                                • Instruction ID: 4aaa1b7e9142c0b1064c607814b4b019204c1db9964a9c6bc0c693852c2dfbc4
                                                • Opcode Fuzzy Hash: 10f83df0c90a6610a8b53eb74bb6e058e5cc0ba0fe3e6508f91dd3b8627a5a0d
                                                • Instruction Fuzzy Hash: 5E023D71E002599FDF54CFA9C8806ADBBF1EF88324F158669D81AFB344E731A941CB90
                                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Name$ComputerUser
                                                • String ID:
                                                • API String ID: 4229901323-0
                                                • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                Function 0041DBF3 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG$wA
                                                • API String ID: 0-1404076192
                                                • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                Function 0043DEED Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0$PkGNG
                                                • API String ID: 0-1056914901
                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcess
                                                • String ID:
                                                • API String ID: 3859560861-0
                                                • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                Function 04873612 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0487360D,?,?,00000008,?,?,048764C4,00000000), ref: 0487383F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                • Instruction ID: 478771657cae81e58b2f9d37cfecedf24236d36b0458deea04b5d4e12f28915b
                                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                • Instruction Fuzzy Hash: 63B18F71610609DFD719CF28C49AB647BE0FF45364F258A58EC99CF2A1C339E981EB41
                                                Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                Function 04853C3E Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                • Instruction ID: 5097b3b3c92d352d30424fbcac45e6e1dc0bfdba4a8b15c9b1ac2d04a2fff095
                                                • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                • Instruction Fuzzy Hash: 94123E326083008BDB14DF69D851A1EF3E2BFC8798F158E2DE985E7390DA74E9558B43
                                                Function 0042742E Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                Function 04847695 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                • Instruction ID: 34d37b86450becb466a41cf5e05b4b6e4f6ba83d43c67205793339c73bb65f32
                                                • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                                • Instruction Fuzzy Hash: FC02ADB16046518FC358CF2EEC9053AB7E1AB8D3117448A3EE495C7381EB75FA22CB94
                                                Function 00426E9F Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                                • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                • Opcode Fuzzy Hash: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                                • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                Function 04847106 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: 55cc36af361bbb429cac2c1a49b81fe186fd90216d15d23d5244979f9e081e2e
                                                • Instruction ID: 5056bb3754163dedfae5cb5dd1715c745a2a149626f0e38731df7bde6aabc197
                                                • Opcode Fuzzy Hash: 55cc36af361bbb429cac2c1a49b81fe186fd90216d15d23d5244979f9e081e2e
                                                • Instruction Fuzzy Hash: 71F17E715142558FC348CF1DE8A087AB3E1FB89311B440A2EF582C7391EB75FA16CB66
                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                Function 048725FA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 0486855B
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868568
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0487264E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                • Instruction ID: 8ba40df6050baae4d91789c3e35453725734a981a4d0d09a87c1fd1a46b511ac
                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                • Instruction Fuzzy Hash: DD21C57251020AABEB24AE28DC91BBA77ACEF44318F1006FBED05C6144EB74FD80DB55
                                                Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                Function 04872282 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 048722F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                • Instruction ID: 6c50162e63e04889d1dfff9baa4ead24e7fccce46e5e971ed4f2a6e5b907f312
                                                • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                • Instruction Fuzzy Hash: B411E9366007055FDB18AF39C8A167AB791FF84359B144D2DDA4787650D371F542C744
                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                • String ID:
                                                • API String ID: 2692324296-0
                                                • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                Function 0487282A Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,048725C8,00000000,00000000,?), ref: 04872856
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                • String ID:
                                                • API String ID: 2692324296-0
                                                • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                • Instruction ID: 69286ff2a1bb847744bae9f6adabcf809caef97616b7c22b72c1f2676213e9b7
                                                • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                • Instruction Fuzzy Hash: 7EF02832A00215BFDB285A69CC15BBE7768FF40718F080EA9EC59E3140EA7AFD41D6D0
                                                Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                Function 0487231D Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 04872369
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                • Instruction ID: d3fe2395967c67b7bd0a307937aeabeeb4cd8138762ba9ccb1b0fae61d2647de
                                                • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                • Instruction Fuzzy Hash: 72F022322003045FDB145F7D9890A6A7B91EF8236CB084A6DE945CB660D2B1E8028601
                                                Function 04868BD4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,048647B2,?,00000004), ref: 04868C27
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID:
                                                • API String ID: 2299586839-0
                                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                • Instruction ID: ddb4e028ef89c4c88fc6538837890afce62b9ba2d738eabd6d1b30df01258d59
                                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                • Instruction Fuzzy Hash: E4F0F63164120CFBDB017F64DC01F6E7B25EF08711F404A65BC0A96261DB71AD24969A
                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00445909: RtlEnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                • String ID:
                                                • API String ID: 1272433827-0
                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                Function 048686EB Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04865B70: RtlEnterCriticalSection.NTDLL(?), ref: 04865B7F
                                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 04868723
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                • String ID:
                                                • API String ID: 1272433827-0
                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                • Instruction ID: 4cf005ac1e6833876d4ff24a99de9bccbeaf4c79b30ec93304c7348a67c544c4
                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                • Instruction Fuzzy Hash: 7EF04F36A50204EFE700EF6CD985B5D77E0EB04725F104966F914DB2B0DBB599809F4A
                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                Function 04872237 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 0487226E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                • Instruction ID: 4f0fb42ab792abd446da62b6b5b26235c211c9fc90087a10b1551823bf9453da
                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                • Instruction Fuzzy Hash: 5CF0553A300244A7CB04AF79D814B6ABF90EFC1714F0A0898EF09CB261C271E842C764
                                                Function 0483DE5A Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                • Instruction ID: 83fda2f0e8f8cfb3603c8ae62ace7ddceba9508b0d82516136e0dd1ba929bf62
                                                • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                                • Instruction Fuzzy Hash: 38B1AF3911029A8ACF05EF68C4913F63BA1EF6A301F0855B9EC9CCF757E2359506EB64
                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID:
                                                • API String ID: 2299586839-0
                                                • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                • Instruction Fuzzy Hash:
                                                Function 0485E154 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                • Instruction ID: 6d9b40145eb29ba26331cf598b1d2f55b2ff3a3ba91ab438b9bb1d1b3f993e15
                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                • Instruction Fuzzy Hash: 0F5188B178070856FF386B6C9D587BE379A9B42348F080F19ED86C72B5D244F7458392
                                                Function 0485E383 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                • Instruction ID: 4732e2872528b4c65c868eeca41dd5d1f09f3eb4c5836857110ef07072fe1ac4
                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                • Instruction Fuzzy Hash: 6A516961700B0896EB388F6C8D547FE279A9B01388F480FA9DD86C72B1E695F7459353
                                                Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                Function 04847D3E Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                • Instruction ID: 2cd6740541e96c5e0288372753f4069f07f8d264a848ebadd257130e53a38f7b
                                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                • Instruction Fuzzy Hash: 4D41F7769187498BD340CF29C58071AFBE1FFD8318F655A1EF889E3254D375E9828B82
                                                Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                Function 0483F3F2 Relevance: .6, Instructions: 598COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                • Instruction ID: 67680d8b89bb230fb868b8392d6b10aa46544e899d57052aeb63d23c07f49280
                                                • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                                • Instruction Fuzzy Hash: E832CD71A083469BD729CE28C490B6AB7E5AF84319F044F2DFB95CB291D760E945CBC2
                                                Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                Function 0485E5B2 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                • Instruction ID: f2a5b0f2c7530c3fa7347e3840037503b41cba0043ba0cb311428f7e8075093b
                                                • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                • Instruction Fuzzy Hash: F66116B160071966EE385B6C8C947BE23D59B55388F040F1ADD82DB2B0E751BB41CA1A
                                                Function 0485E80F Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                • Instruction ID: 2367e253bae76bc4913459f762341a52eea5929ad27a58e1e4fe19c5893309ba
                                                • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                • Instruction Fuzzy Hash: A461577170070C66EA399B684D907BE2385EB41308F400F1AED82DF6F0E651FB46E756
                                                Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                Function 04847EA7 Relevance: .2, Instructions: 187COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                • Instruction ID: e51dce4a48d3e7673940e73619d9a4174751d09a364225dd200f0ce8ec90c7e0
                                                • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                                • Instruction Fuzzy Hash: 0C615B729083489FD304EF78D580A5BB7E4AFC8718F540E2EF499D6154EB71EA088B93
                                                Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                Function 04858A57 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: 39d9a3b19ca9b6512b1e1d688e2e58dee0c7f1f7521d3ef79995d29b77c0c524
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: 7511047720104247D617EA3DD8B46BBA795EFC5321B2D4F6BD881CB778E222B1F49602
                                                Function 04820D90 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                • Instruction ID: 933ff9f54dff6ff0bbd477003fb5c7ca2ccdbcdd9af991a805a220ef85264ab2
                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                • Instruction Fuzzy Hash: B001F777A016148FDF21CF20C904BAA33F5EB87205F154AA4E606D7281E370B8C18B80
                                                Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                • GetCursorInfo.USER32(?), ref: 00418FE2
                                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                • DeleteObject.GDI32(?), ref: 00419027
                                                • DeleteObject.GDI32(?), ref: 00419034
                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                • DeleteDC.GDI32(?), ref: 00419293
                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                • String ID: DISPLAY
                                                • API String ID: 4256916514-865373369
                                                • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                • ResumeThread.KERNEL32(?), ref: 00418470
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                • GetLastError.KERNEL32 ref: 004184B5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                • API String ID: 4188446516-3035715614
                                                • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                • API String ID: 1861856835-1447701601
                                                • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                • API String ID: 3797177996-2483056239
                                                • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                • API String ID: 2649220323-436679193
                                                • Opcode ID: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                • Opcode Fuzzy Hash: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                • API String ID: 738084811-2094122233
                                                • Opcode ID: 7c34508947559437a3a277e9d61a1f5e5f7acc13b7aac5b1e5b5860917e6a28f
                                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                • Opcode Fuzzy Hash: 7c34508947559437a3a277e9d61a1f5e5f7acc13b7aac5b1e5b5860917e6a28f
                                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Write$Create
                                                • String ID: RIFF$WAVE$data$fmt
                                                • API String ID: 1602526932-4212202414
                                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\E84Ddy7gSh.exe,00000001,00407688,C:\Users\user\Desktop\E84Ddy7gSh.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                • API String ID: 1646373207-2549867146
                                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                Function 04832717 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 190synchronizationsleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 04832736
                                                • ExitProcess.KERNEL32(00000000), ref: 04832742
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 048327BC
                                                • OpenProcess.KERNEL32(00100000,00000000,?), ref: 048327CB
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 048327D6
                                                • CloseHandle.KERNEL32(00000000), ref: 048327DD
                                                • GetCurrentProcessId.KERNEL32 ref: 048327E3
                                                • PathFileExistsW.SHLWAPI(?), ref: 04832814
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 04832877
                                                • GetTempFileNameW.KERNEL32(?,0046C58C,00000000,?), ref: 04832891
                                                • lstrcatW.KERNEL32(?,0046C598), ref: 048328A3
                                                  • Part of subcall function 0483C6E9: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0483C808,00000000,00000000,?), ref: 0483C728
                                                • Sleep.KERNEL32(000001F4), ref: 04832924
                                                • OpenProcess.KERNEL32(00100000,00000000,?), ref: 04832939
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04832944
                                                • CloseHandle.KERNEL32(00000000), ref: 0483294B
                                                • GetCurrentProcessId.KERNEL32 ref: 04832951
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
                                                • String ID: 8SG$WDH$exepath
                                                • API String ID: 1507772987-3485537677
                                                • Opcode ID: 7382e5041dfdc3f17c085a94aaa2370adad8fa3b8a06acba275b45df2a203793
                                                • Instruction ID: f493d626061d1381f9d774b39912508bb901c7014a655346f4172af33435fa99
                                                • Opcode Fuzzy Hash: 7382e5041dfdc3f17c085a94aaa2370adad8fa3b8a06acba275b45df2a203793
                                                • Instruction Fuzzy Hash: 4351EB71A40225BBEB00A7A49C49EFE736CAB04716F004BE5F801E71D1EFB5AE418B95
                                                Function 04839118 Relevance: 30.3, APIs: 20, Instructions: 328windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDCA.GDI32(0046C888,00000000,00000000,00000000), ref: 04839132
                                                • CreateCompatibleDC.GDI32(00000000), ref: 0483913F
                                                  • Part of subcall function 048395C7: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 048395F7
                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 048391B5
                                                • DeleteObject.GDI32(00000000), ref: 048391D2
                                                • SelectObject.GDI32(00000000,00000000), ref: 048391F3
                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0483922B
                                                • GetCursorInfo.USER32(?), ref: 04839249
                                                • GetIconInfo.USER32(?,?), ref: 0483925F
                                                • DeleteObject.GDI32(?), ref: 0483928E
                                                • DeleteObject.GDI32(?), ref: 0483929B
                                                • DrawIcon.USER32(00000000,?,?,?), ref: 048392A8
                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00473198,00000000,00000000,00660046), ref: 048392DE
                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 0483930A
                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 04839377
                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 048393E6
                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0483940A
                                                • DeleteObject.GDI32(00000000), ref: 04839424
                                                • GlobalFree.KERNEL32(?), ref: 0483942F
                                                • DeleteObject.GDI32(00000000), ref: 048394E3
                                                • GlobalFree.KERNEL32(?), ref: 048394EA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                • String ID:
                                                • API String ID: 2309981249-0
                                                • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                • Instruction ID: 3fdf627cb94520d567dc013aa380b65fa60c4fd01cd7c16f166b015a6772424b
                                                • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                • Instruction Fuzzy Hash: 0FC15BB1108315EFD724DF24D844B6BBBE9EB88715F00092DF989D72A0DB74E944CBA6
                                                Function 0482D6C2 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 282registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04832AF2: TerminateProcess.KERNEL32(00000000,?,0482DAB1), ref: 04832B02
                                                  • Part of subcall function 04832AF2: WaitForSingleObject.KERNEL32(000000FF,?,0482DAB1), ref: 04832B15
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0482D7BF
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0482D7D2
                                                  • Part of subcall function 0483C6E9: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0483C808,00000000,00000000,?), ref: 0483C728
                                                • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0482DA66
                                                • ExitProcess.KERNEL32 ref: 0482DA72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
                                                • String ID: 8SG$@qF$DqF@qF$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$dMG$exepath$fso.DeleteFolder "$while fso.FileExists("$xdF$xpF
                                                • API String ID: 1359289687-3067577124
                                                • Opcode ID: 183e3a47f802c39214e20746608bb0bd18ac8d6098a6ad0476d4d564e1fe9f82
                                                • Instruction ID: dde032e441d370de7b3775eab9bdb01ce9c7cd6e3165aceb6b0fb9c721520def
                                                • Opcode Fuzzy Hash: 183e3a47f802c39214e20746608bb0bd18ac8d6098a6ad0476d4d564e1fe9f82
                                                • Instruction Fuzzy Hash: C691E7312043206AE314FB78DA50DAF7395AFD0608F504E6DA546D31A1EFE479C9C667
                                                Function 04825901 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 278sleepfileprocessCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0482594D
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                • __Init_thread_footer.LIBCMT ref: 0482598A
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 04825AA6
                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 04825AFE
                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 04825B23
                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 04825B50
                                                  • Part of subcall function 04854A68: __onexit.LIBCMT ref: 04854A6E
                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 04825C4B
                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 04825C65
                                                • TerminateProcess.KERNEL32(00000000), ref: 04825C7E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileInit_thread_footerProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
                                                • String ID: 0lG$0lG$0lG$0lG$0lG$cmd.exe$kG
                                                • API String ID: 3407654705-1599548906
                                                • Opcode ID: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                                                • Instruction ID: 22e9359954d1d6ab4dd0bf63febceeeef11127e9e2b6a406645c89f3a4accd75
                                                • Opcode Fuzzy Hash: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                                                • Instruction Fuzzy Hash: DD910A71644224BFE701FF28AE40E6A779AEB40708F414E3DF449D71A1DFA56CC48B5A
                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                • GetLastError.KERNEL32 ref: 0041C204
                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                • GetLastError.KERNEL32 ref: 0041C261
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                • String ID: ?
                                                • API String ID: 3941738427-1684325040
                                                • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                Function 0483C313 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 0483C32E
                                                • _memcmp.LIBVCRUNTIME ref: 0483C346
                                                • lstrlenW.KERNEL32(?), ref: 0483C35F
                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0483C39A
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0483C3AD
                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0483C3F1
                                                • lstrcmpW.KERNEL32(?,?), ref: 0483C40C
                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0483C424
                                                • _wcslen.LIBCMT ref: 0483C433
                                                • FindVolumeClose.KERNEL32(?), ref: 0483C453
                                                • GetLastError.KERNEL32 ref: 0483C46B
                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0483C498
                                                • lstrcatW.KERNEL32(?,?), ref: 0483C4B1
                                                • lstrcpyW.KERNEL32(?,?), ref: 0483C4C0
                                                • GetLastError.KERNEL32 ref: 0483C4C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                • String ID: ?
                                                • API String ID: 3941738427-1684325040
                                                • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                • Instruction ID: 80d084585b1c0fc2582601a29a4f6080ba04ea210e78935c70abe88817350e2d
                                                • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                • Instruction Fuzzy Hash: 7C418372504306EBE720DF64DC489ABB7ECBB44716F104E2AF545D2161EB74E948C7D2
                                                Function 0486F714 Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                                • String ID:
                                                • API String ID: 2719235668-0
                                                • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                • Instruction ID: 2761573b94d4e06b9337ade46630dc13cc6666bde32c4fc54745ee192ba052cb
                                                • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                • Instruction Fuzzy Hash: 17D10772E003416FEBA5AF78ED40A6A7BA4AF01318F044B6DDB57E7280EBB1F5408751
                                                Function 04838391 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 048384B9
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 048384D1
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 048384E7
                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0483850D
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0483858F
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 048385A3
                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 048385E3
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 048386AD
                                                • SetThreadContext.KERNEL32(?,00000000), ref: 048386CA
                                                • ResumeThread.KERNEL32(?), ref: 048386D7
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 048386EE
                                                • GetCurrentProcess.KERNEL32(?), ref: 048386F9
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 04838714
                                                • GetLastError.KERNEL32 ref: 0483871C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                • String ID: ntdll
                                                • API String ID: 3275803005-3337577438
                                                • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                • Instruction ID: 01311986cf7df7f70858b5a3dac40b46e8e9bff9f5fe01f517c431d7fb003de2
                                                • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                • Instruction Fuzzy Hash: 04A191B0604305EFDB209F64DD89F6ABBE8FF48746F000929F685D6191E7B4E844CB5A
                                                Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                • API String ID: 2490988753-3346362794
                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                • String ID:
                                                • API String ID: 3899193279-0
                                                • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                • String ID: /stext "$0TG$0TG$NG$NG
                                                • API String ID: 1223786279-2576077980
                                                • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                Function 0482D338 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 260registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04832AF2: TerminateProcess.KERNEL32(00000000,?,0482DAB1), ref: 04832B02
                                                  • Part of subcall function 04832AF2: WaitForSingleObject.KERNEL32(000000FF,?,0482DAB1), ref: 04832B15
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0482D447
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0482D45A
                                                  • Part of subcall function 0483BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,048242E3), ref: 0483BC97
                                                • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0482D6B4
                                                • ExitProcess.KERNEL32 ref: 0482D6BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                                                • String ID: 8SG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$dMG$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("$xdF
                                                • API String ID: 508158800-2455986086
                                                • Opcode ID: 32eb6619aaf197860a1af8068c9beb44f56f7e691fd55cde280349b3b87ccd79
                                                • Instruction ID: 8a9a6eb2dce8259603755706bea33b29d841231e6f94ba03f77ddfc6fa685faa
                                                • Opcode Fuzzy Hash: 32eb6619aaf197860a1af8068c9beb44f56f7e691fd55cde280349b3b87ccd79
                                                • Instruction Fuzzy Hash: 5A81D5312043206BE715FB68DA50DAF73A9AF90608F104E2EF446D7191EFE47A89C657
                                                Function 0482A9C8 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00001388), ref: 0482A9E2
                                                  • Part of subcall function 0482A917: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0482A9EF), ref: 0482A94D
                                                  • Part of subcall function 0482A917: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0482A9EF), ref: 0482A95C
                                                  • Part of subcall function 0482A917: Sleep.KERNEL32(00002710,?,?,?,0482A9EF), ref: 0482A989
                                                  • Part of subcall function 0482A917: CloseHandle.KERNEL32(00000000,?,?,?,0482A9EF), ref: 0482A990
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0482AA1E
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0482AA2F
                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0482AA46
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0482AAC0
                                                  • Part of subcall function 0483C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C796
                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0482ABC9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                • String ID: 8SG$8SG$pQG$pQG$xdF$PG$PG
                                                • API String ID: 3795512280-661585845
                                                • Opcode ID: 66a0b5108e7ee58fc3900682d73f49ebd57c76f2f25b35366e866aa3198208e3
                                                • Instruction ID: 213375bf59112b8642d1c2f90d406d11d8db132db67b342fc5aa0d2c81cf6d4d
                                                • Opcode Fuzzy Hash: 66a0b5108e7ee58fc3900682d73f49ebd57c76f2f25b35366e866aa3198208e3
                                                • Instruction Fuzzy Hash: E651A4312003205BEB09FB78DA64ABE73569F90208F000FADA547E71D1EED5BA84C657
                                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                                • SetEvent.KERNEL32(00000000), ref: 00404E43
                                                • CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                                • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                                • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                                • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                                • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                                • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                                • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                                • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                • String ID: PkGNG
                                                • API String ID: 3658366068-263838557
                                                • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$Info
                                                • String ID:
                                                • API String ID: 2509303402-0
                                                • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                Function 0486603E Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$Info
                                                • String ID:
                                                • API String ID: 2509303402-0
                                                • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                • Instruction ID: 8da27cb6fcc5f20cdd031991f6e8e072c7a8b784a0cd26d777333aae4282bee4
                                                • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                • Instruction Fuzzy Hash: 92B1A171900285AFEB51DFACC980BEEBBF4BF08304F144A6DE856F7241E775A9458B60
                                                Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                • __aulldiv.LIBCMT ref: 00408D88
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                • API String ID: 3086580692-2582957567
                                                • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                • API String ID: 3795512280-1152054767
                                                • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                • API String ID: 994465650-3229884001
                                                • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                • _free.LIBCMT ref: 0045137F
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 004513A1
                                                • _free.LIBCMT ref: 004513B6
                                                • _free.LIBCMT ref: 004513C1
                                                • _free.LIBCMT ref: 004513E3
                                                • _free.LIBCMT ref: 004513F6
                                                • _free.LIBCMT ref: 00451404
                                                • _free.LIBCMT ref: 0045140F
                                                • _free.LIBCMT ref: 00451447
                                                • _free.LIBCMT ref: 0045144E
                                                • _free.LIBCMT ref: 0045146B
                                                • _free.LIBCMT ref: 00451483
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                Function 048715AD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 048715F1
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 04870806
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 04870818
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 0487082A
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 0487083C
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 0487084E
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 04870860
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 04870872
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 04870884
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 04870896
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 048708A8
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 048708BA
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 048708CC
                                                  • Part of subcall function 048707E9: _free.LIBCMT ref: 048708DE
                                                • _free.LIBCMT ref: 048715E6
                                                  • Part of subcall function 04866A69: HeapFree.KERNEL32(00000000,00000000,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?), ref: 04866A7F
                                                  • Part of subcall function 04866A69: GetLastError.KERNEL32(?,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?,?), ref: 04866A91
                                                • _free.LIBCMT ref: 04871608
                                                • _free.LIBCMT ref: 0487161D
                                                • _free.LIBCMT ref: 04871628
                                                • _free.LIBCMT ref: 0487164A
                                                • _free.LIBCMT ref: 0487165D
                                                • _free.LIBCMT ref: 0487166B
                                                • _free.LIBCMT ref: 04871676
                                                • _free.LIBCMT ref: 048716AE
                                                • _free.LIBCMT ref: 048716B5
                                                • _free.LIBCMT ref: 048716D2
                                                • _free.LIBCMT ref: 048716EA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                • Instruction ID: c27b6406c9711b51ce300ca82fed1275ccb5aa4e6ba75f51b562a3d1f2622e0c
                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                • Instruction Fuzzy Hash: A631AE716003019FEB60ABB9D998B5673E9EF00355F188E1DE049E7650EFB0FD908B11
                                                Function 0482D09B Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 203COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 0482D0A9
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0482D0C2
                                                • _wcslen.LIBCMT ref: 0482D188
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0482D210
                                                • _wcslen.LIBCMT ref: 0482D268
                                                • CloseHandle.KERNEL32 ref: 0482D2CF
                                                • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000001), ref: 0482D2ED
                                                • ExitProcess.KERNEL32 ref: 0482D304
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
                                                • String ID: 6$C:\Users\user\Desktop\E84Ddy7gSh.exe$xdF
                                                • API String ID: 3303048660-3361692033
                                                • Opcode ID: ca32f07cd236d0746c7fb7d4d39a7773008b6655b21f0b5af9e2845f06c6a8c0
                                                • Instruction ID: d63af0525b10b66808db5f382b27d81ff214bcedcabbb4dde1febdff5cebaf5f
                                                • Opcode Fuzzy Hash: ca32f07cd236d0746c7fb7d4d39a7773008b6655b21f0b5af9e2845f06c6a8c0
                                                • Instruction Fuzzy Hash: 305113212043207BF608BB689E60F7F6798AF80709F004E5DF905E61D1EFD8B985866B
                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                • API String ID: 1913171305-3159800282
                                                • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                • GetLastError.KERNEL32 ref: 00455F31
                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                • __freea.LIBCMT ref: 0044AEB0
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                • __freea.LIBCMT ref: 0044AEB9
                                                • __freea.LIBCMT ref: 0044AEDE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                • String ID: PkGNG$tC
                                                • API String ID: 3864826663-4196309852
                                                • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                Function 048398C9 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                • API String ID: 0-1861860590
                                                • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                • Instruction ID: 866389508202a674d6bb5b59665450904a9fdbd642d763dcf98e71340901cf67
                                                • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                • Instruction Fuzzy Hash: CF71B7F05883216EF704EF24C850BAAB7D5AF54716F004E4EF592971D0EAB4A948D793
                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: \&G$\&G$`&G
                                                • API String ID: 269201875-253610517
                                                • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                Function 04870D0C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: \&G$\&G$`&G
                                                • API String ID: 269201875-253610517
                                                • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                • Instruction ID: 5e56b3bff4cac8f30ee28a8fa6bd1507dfe2ef5a6b6832f4b29273e2e45e27a0
                                                • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                • Instruction Fuzzy Hash: 4C610672D00209AFEB20DFA8C850BAABBF5EF45710F144A6AE945EB250E770F941DB51
                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 65535$udp
                                                • API String ID: 0-1267037602
                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                Function 04834E52 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 65535$udp
                                                • API String ID: 0-1267037602
                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                • Instruction ID: ef0fac434524a6e0d61b20c9c6f77afec110c1394d5af013a6461a1795536ab8
                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                • Instruction Fuzzy Hash: EB51D635609305EBD3209F18D904B3A77A4AF84B56F080E29FC85D7291E7A6F94096D6
                                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                • GetForegroundWindow.USER32 ref: 0040AD84
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                • String ID: [${ User has been idle for $ minutes }$]
                                                • API String ID: 911427763-3954389425
                                                • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                • __dosmaperr.LIBCMT ref: 0043A926
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                • __dosmaperr.LIBCMT ref: 0043A963
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                                • _free.LIBCMT ref: 0043A9C3
                                                • _free.LIBCMT ref: 0043A9CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                • String ID:
                                                • API String ID: 2441525078-0
                                                • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                Function 04832D56 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 482fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04832D6F
                                                  • Part of subcall function 0483BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,048242E3), ref: 0483BC97
                                                  • Part of subcall function 0483880A: CloseHandle.KERNEL32(0482435C,?,?,0482435C,00465E84), ref: 04838820
                                                  • Part of subcall function 0483880A: CloseHandle.KERNEL32(00465E84,?,?,0482435C,00465E84), ref: 04838829
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 04833067
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 0483309E
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 048330DA
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                • String ID: ,aF$0TG$0TG$NG$NG
                                                • API String ID: 1937857116-3104526304
                                                • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                • Instruction ID: b46575c994b964e6cf5be0fdb128f0837fe85b30536cd5b1784ded16463de4ac
                                                • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                • Instruction Fuzzy Hash: 200245311083909BE325FB78D950AEFB3D5AF94348F504E6DE486D2194EFB07A89C653
                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                • DispatchMessageA.USER32(?), ref: 00405589
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                • API String ID: 2956720200-749203953
                                                • Opcode ID: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                • Opcode Fuzzy Hash: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                Function 04825707 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 04825726
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 048257D6
                                                • TranslateMessage.USER32(?), ref: 048257E5
                                                • DispatchMessageA.USER32(?), ref: 048257F0
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 048258A8
                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 048258E0
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                • API String ID: 2956720200-749203953
                                                • Opcode ID: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                                                • Instruction ID: b13ba07e1b2a9a39d1c9f25ad7811c0ad513bb1f4dd5b9b4a5024d19baaab8ea
                                                • Opcode Fuzzy Hash: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                                                • Instruction Fuzzy Hash: 9641CC32640220ABDB14FB78DE5886F77A8AB85604F404E6CF906C31A0EFB4A945C797
                                                Function 04833FAF Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 04833FE8
                                                  • Part of subcall function 04833CF7: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 04833D5E
                                                  • Part of subcall function 04833CF7: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 04833D8D
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 04834156
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumInfoOpenQuerysend
                                                • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                                • API String ID: 3114080316-4028018678
                                                • Opcode ID: 70faf1fdc12839e8a193ee9278999af9371e264b1372819520fb3d86335c1ef9
                                                • Instruction ID: 232240d1124f88e62e27eb78f5581a0cf7e85bd8a5adf2dfa182e73902516f74
                                                • Opcode Fuzzy Hash: 70faf1fdc12839e8a193ee9278999af9371e264b1372819520fb3d86335c1ef9
                                                • Instruction Fuzzy Hash: 4241163064426067E214F73CEE50AEF7794DFD1248F408E2EA44AD7194EFA57D8982A7
                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                • ShellExecuteEx.SHELL32(0000003C), ref: 00417DE3
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                • String ID: 0VG$0VG$<$@$Temp
                                                • API String ID: 1704390241-2575729100
                                                • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                Function 04831103 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 04831110
                                                • int.LIBCPMT ref: 04831123
                                                  • Part of subcall function 0482E363: std::_Lockit::_Lockit.LIBCPMT ref: 0482E374
                                                  • Part of subcall function 0482E363: std::_Lockit::~_Lockit.LIBCPMT ref: 0482E38E
                                                • std::_Facet_Register.LIBCPMT ref: 04831163
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0483116C
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0483118A
                                                • __Init_thread_footer.LIBCMT ref: 048311CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                • String ID: ,kG$0kG$@!G
                                                • API String ID: 3815856325-312998898
                                                • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                • Instruction ID: ed971bb73b29f081115bc354ffd047b28d6b7ecd971d3f73639eae4b172b6450
                                                • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                • Instruction Fuzzy Hash: FE213B319005249BD704FB6CD9449ED77A9DF05B25B210B5AE804E72A0DFB1BE81CBDA
                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 0041697C
                                                • EmptyClipboard.USER32 ref: 0041698A
                                                • CloseClipboard.USER32 ref: 00416990
                                                • OpenClipboard.USER32 ref: 00416997
                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                • CloseClipboard.USER32 ref: 004169BF
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                • String ID: !D@
                                                • API String ID: 2172192267-604454484
                                                • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 004481B5
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 004481C1
                                                • _free.LIBCMT ref: 004481CC
                                                • _free.LIBCMT ref: 004481D7
                                                • _free.LIBCMT ref: 004481E2
                                                • _free.LIBCMT ref: 004481ED
                                                • _free.LIBCMT ref: 004481F8
                                                • _free.LIBCMT ref: 00448203
                                                • _free.LIBCMT ref: 0044820E
                                                • _free.LIBCMT ref: 0044821C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                Function 04868408 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 0486841C
                                                  • Part of subcall function 04866A69: HeapFree.KERNEL32(00000000,00000000,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?), ref: 04866A7F
                                                  • Part of subcall function 04866A69: GetLastError.KERNEL32(?,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?,?), ref: 04866A91
                                                • _free.LIBCMT ref: 04868428
                                                • _free.LIBCMT ref: 04868433
                                                • _free.LIBCMT ref: 0486843E
                                                • _free.LIBCMT ref: 04868449
                                                • _free.LIBCMT ref: 04868454
                                                • _free.LIBCMT ref: 0486845F
                                                • _free.LIBCMT ref: 0486846A
                                                • _free.LIBCMT ref: 04868475
                                                • _free.LIBCMT ref: 04868483
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                • Instruction ID: bedb59dcc8d952515eae33d49dac03171e058d484962e4af539548e7db7c20e3
                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                • Instruction Fuzzy Hash: 6F111936200048FFDB81EFD9D940CDC3B65EF04645F0186AAB90ADF220EA71EBA09B41
                                                Function 04832399 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 238threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 048323A8
                                                  • Part of subcall function 04833B19: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 04833B27
                                                  • Part of subcall function 04833B19: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0482C3F4,00466C58,00000001,000000AF,004660B4), ref: 04833B42
                                                  • Part of subcall function 04833B19: RegCloseKey.ADVAPI32(004660B4,?,?,?,0482C3F4,00466C58,00000001,000000AF,004660B4), ref: 04833B4D
                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 048323E8
                                                • CloseHandle.KERNEL32(00000000), ref: 048323F7
                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 0483244D
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 048326BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                • String ID: WDH
                                                • API String ID: 3018269243-2057347716
                                                • Opcode ID: b4c3793ea6c4abfbce30ba5e71894ba14c4d78db8eedaf37be1c5a9400dd77cf
                                                • Instruction ID: a367be4a01a60073d166b0d41c3b7ddc47f66ea21e5c64cf9de008c47981a8c0
                                                • Opcode Fuzzy Hash: b4c3793ea6c4abfbce30ba5e71894ba14c4d78db8eedaf37be1c5a9400dd77cf
                                                • Instruction Fuzzy Hash: 7171843160432067E604FB78DE55D6E7364AF91609F400FADB482D21E0EFE4BA44C6A7
                                                Function 0482F716 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 210processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0482F730
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0482F75B
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0482F777
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0482F7F6
                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0482F805
                                                  • Part of subcall function 0483C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0483C4ED
                                                  • Part of subcall function 0483C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0483C500
                                                • CloseHandle.KERNEL32(00000000), ref: 0482F910
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                • String ID: xdF$xdF
                                                • API String ID: 3756808967-3986811408
                                                • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                • Instruction ID: ef8eeae4e651d0bfb5701639cda84a26e40fd009ce2c66947a5bd5b8f6c0fdad
                                                • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                • Instruction Fuzzy Hash: 307189311143509BE714FF64D954DAFB7A4AF90208F404E6DE686D31A1EFB0B989CB93
                                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Eventinet_ntoa
                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                • API String ID: 3578746661-3604713145
                                                • Opcode ID: 38c3c7176244b4b6310fd9205d8951a2ba4c04effc7f855f37438cca8d95bfb9
                                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                • Opcode Fuzzy Hash: 38c3c7176244b4b6310fd9205d8951a2ba4c04effc7f855f37438cca8d95bfb9
                                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                Function 04831797 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Eventinet_ntoa
                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                • API String ID: 3578746661-3604713145
                                                • Opcode ID: 38c3c7176244b4b6310fd9205d8951a2ba4c04effc7f855f37438cca8d95bfb9
                                                • Instruction ID: 0295391944c1f43166c79d39f3314ebbc27dfa6c302a34261b885a6a490a9cbc
                                                • Opcode Fuzzy Hash: 38c3c7176244b4b6310fd9205d8951a2ba4c04effc7f855f37438cca8d95bfb9
                                                • Instruction Fuzzy Hash: DE510631A042109BE614FB3CCE18A6E77A59B40709F404F69E806D76A4EFF4B985C7DB
                                                Function 0483A2AC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0483A2B1
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0483A36F
                                                • GetLocalTime.KERNEL32(?), ref: 0483A3FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateDirectoryH_prologLocalTime
                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                • API String ID: 2709065311-1431523004
                                                • Opcode ID: 95e2b2175dcad42d57fc42b688d4a52931778c628c4b554f4f231ba9717664a4
                                                • Instruction ID: daf174acb08e1be75b915f8e03015c2a22efb85d8c28fad6661d0da49c7bd4ed
                                                • Opcode Fuzzy Hash: 95e2b2175dcad42d57fc42b688d4a52931778c628c4b554f4f231ba9717664a4
                                                • Instruction Fuzzy Hash: E351D470A00224ABEB14FBBCCD50AFD7768AF44305F404A6AE545E7190EFA87D85C7A6
                                                Function 0482AF78 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 156sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0482AFDA
                                                • Sleep.KERNEL32(000001F4), ref: 0482AFE5
                                                • GetForegroundWindow.USER32 ref: 0482AFEB
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0482AFF4
                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0482B028
                                                • Sleep.KERNEL32(000003E8), ref: 0482B0F6
                                                  • Part of subcall function 0482A8D8: SetEvent.KERNEL32(00000000,?,00000000,0482B4AC,00000000), ref: 0482A904
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                • String ID: [${ User has been idle for
                                                • API String ID: 911427763-3934435721
                                                • Opcode ID: 89d290f1301d87229230a32b971318c5e4ae4cc84a0554586c4229361175ef3f
                                                • Instruction ID: 7ae283d8ed69ad2a7f956b4deb071be99693403ea7e958397545b88d392fde6d
                                                • Opcode Fuzzy Hash: 89d290f1301d87229230a32b971318c5e4ae4cc84a0554586c4229361175ef3f
                                                • Instruction Fuzzy Hash: 4B5114716042609BE305FB68CA94A6E7395AF84308F400F6DF886D21E0EFB4BAC4C757
                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DecodePointer
                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                • API String ID: 3527080286-3064271455
                                                • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                • __fassign.LIBCMT ref: 0044B4F9
                                                • __fassign.LIBCMT ref: 0044B514
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID: PkGNG
                                                • API String ID: 1324828854-263838557
                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                Function 0486B6A3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0486BE18,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0486B6E5
                                                • __fassign.LIBCMT ref: 0486B760
                                                • __fassign.LIBCMT ref: 0486B77B
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0486B7A1
                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0486BE18,00000000,?,?,?,?,?,?,?,?,PkGNG,0486BE18,?), ref: 0486B7C0
                                                • WriteFile.KERNEL32(?,?,00000001,0486BE18,00000000,?,?,?,?,?,?,?,?,PkGNG,0486BE18,?), ref: 0486B7F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID: PkGNG
                                                • API String ID: 1324828854-263838557
                                                • Opcode ID: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                • Instruction ID: ec3dab9b84e39994a9f25d54549f20bd7069236bd3fa071083e7f537e94992e9
                                                • Opcode Fuzzy Hash: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                • Instruction Fuzzy Hash: C151C8719002099FDB10CFA8DC41BEEBBF4EF09314F144A6AE956E7291E770B941CB65
                                                Function 04835028 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04835077
                                                • LoadLibraryA.KERNEL32(?), ref: 048350B9
                                                • LoadLibraryA.KERNEL32(?), ref: 04835118
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 04835140
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$AddressDirectoryProcSystem
                                                • String ID: IA$EIA$EIA$KA
                                                • API String ID: 4217395396-533031392
                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                • Instruction ID: 32747cb2c60b5bfb98d5c9882c33a4f04da4566fcf76123802a4cc80e34072c5
                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                • Instruction Fuzzy Hash: E331D2B1501315BBC320AF28CC88E9FB7E8AF84749F004E25F985D3211E774E9448AEB
                                                Function 04837F81 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048381CE: __EH_prolog.LIBCMT ref: 048381D3
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 0483807E
                                                • CloseHandle.KERNEL32(00000000), ref: 04838087
                                                • DeleteFileA.KERNEL32(00000000), ref: 04838096
                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0483804A
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                • String ID: 0VG$0VG$<$@
                                                • API String ID: 1704390241-760889559
                                                • Opcode ID: 7165d77197578441e84fe9ceed839daffa54063f9e0c2a5e79903fa6a17acd69
                                                • Instruction ID: 1ab78db61d3964e75246e03c52911cd86fe64af014f665b001a5d4ff96dddaba
                                                • Opcode Fuzzy Hash: 7165d77197578441e84fe9ceed839daffa54063f9e0c2a5e79903fa6a17acd69
                                                • Instruction Fuzzy Hash: 534174319002299BEB04FB68DD55AEDB774EF10309F404A68F506A60E4EFB52AC5CB92
                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                • API String ID: 1462127192-2001430897
                                                • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\E84Ddy7gSh.exe), ref: 004074D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentProcess
                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                • API String ID: 2050909247-4242073005
                                                • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strftime.LIBCMT ref: 00401D50
                                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                • API String ID: 3809562944-243156785
                                                • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                • int.LIBCPMT ref: 00410EBC
                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                • String ID: ,kG$0kG
                                                • API String ID: 3815856325-2015055088
                                                • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                • waveInStart.WINMM ref: 00401CFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                • String ID: dMG$|MG$PG
                                                • API String ID: 1356121797-532278878
                                                • Opcode ID: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                • Opcode Fuzzy Hash: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                Function 04821E50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 04821E60
                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,00401D0B,00000000,00000000,00000024), ref: 04821EF6
                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 04821F4A
                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 04821F59
                                                • waveInStart.WINMM ref: 04821F65
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                • String ID: dMG$|MG$PG
                                                • API String ID: 1356121797-532278878
                                                • Opcode ID: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                • Instruction ID: b8c5fc1fec21deb25bbf7b918bdd1c9b7e00541e3a5130574b7879649217b9a4
                                                • Opcode Fuzzy Hash: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                • Instruction Fuzzy Hash: B5214871604210AFD739DF69EE04A6A7BA6FB94715B00853AA10DD76B0DBF448C1CB1D
                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                • lstrcpyn.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                • Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0041D56E
                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                • DispatchMessageA.USER32(?), ref: 0041D584
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                • String ID: Remcos
                                                • API String ID: 1970332568-165870891
                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                Function 0486D067 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                • Instruction ID: fb8e68d51eff9bc221103bd925621e91a0e7cc3803d66804515ea4f36567bbdf
                                                • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                • Instruction Fuzzy Hash: 85C1C070F04249ABDB51DFACC940BADBBF4AF0A304F144A98D816EB291D7B4A941CB65
                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                • __freea.LIBCMT ref: 00454083
                                                • __freea.LIBCMT ref: 0045408F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                • String ID:
                                                • API String ID: 201697637-0
                                                • Opcode ID: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                • Opcode Fuzzy Hash: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                • _free.LIBCMT ref: 00445515
                                                • _free.LIBCMT ref: 0044552E
                                                • _free.LIBCMT ref: 00445560
                                                • _free.LIBCMT ref: 00445569
                                                • _free.LIBCMT ref: 00445575
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                • String ID: C
                                                • API String ID: 1679612858-1037565863
                                                • Opcode ID: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                • Opcode Fuzzy Hash: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                Function 04865461 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048684FC: GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                  • Part of subcall function 048684FC: _free.LIBCMT ref: 04868533
                                                  • Part of subcall function 048684FC: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                  • Part of subcall function 048684FC: _abort.LIBCMT ref: 0486857A
                                                • _memcmp.LIBVCRUNTIME ref: 0486570B
                                                • _free.LIBCMT ref: 0486577C
                                                • _free.LIBCMT ref: 04865795
                                                • _free.LIBCMT ref: 048657C7
                                                • _free.LIBCMT ref: 048657D0
                                                • _free.LIBCMT ref: 048657DC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                • String ID: C
                                                • API String ID: 1679612858-1037565863
                                                • Opcode ID: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                • Instruction ID: 23e3099e72565ace68b293865308eeb15a254870e63f2b7ee3f581acdb8c7649
                                                • Opcode Fuzzy Hash: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                • Instruction Fuzzy Hash: 06B10C75A01219EBDB64DF18D884AADB7B5FB48304F104AAAD94AE7350E770BE90CF44
                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: tcp$udp
                                                • API String ID: 0-3725065008
                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                Function 0486AF30 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,PkGNG,0486B181,00000001,00000001,00000006), ref: 0486AF8A
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,PkGNG,0486B181,00000001,00000001,00000006), ref: 0486B010
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0486B10A
                                                • __freea.LIBCMT ref: 0486B117
                                                  • Part of subcall function 0486641F: RtlAllocateHeap.NTDLL(00000000,048555B0,?), ref: 04866451
                                                • __freea.LIBCMT ref: 0486B120
                                                • __freea.LIBCMT ref: 0486B145
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                • String ID: PkGNG
                                                • API String ID: 1414292761-263838557
                                                • Opcode ID: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                                • Instruction ID: a019828586947699656e89d070f9e82a719e4e93b0a4739f965798e0699a8457
                                                • Opcode Fuzzy Hash: 063005e08074a30aa5a7525b1a3cdd37634a4b88fb4996d08a0078e91088f893
                                                • Instruction Fuzzy Hash: 94510572600226ABEB659F64CC41EBB77A9EF44758F144B28FD06E7150EB74FC40CA61
                                                Function 0483B33F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0483B434
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0483B470
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0483B486
                                                • SetEvent.KERNEL32 ref: 0483B511
                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0483B522
                                                • CloseHandle.KERNEL32 ref: 0483B532
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                                                • String ID: open "
                                                • API String ID: 1811012380-3219617982
                                                • Opcode ID: 1962c3d4fb40b8be99efedbcc0b43e05d801a0b69fe6eb8e43eb8b8166c4a5cb
                                                • Instruction ID: f2b5be94cb6b0ca76b3081e800c91e4722ac46d094a9548dafe3658e0202d4bd
                                                • Opcode Fuzzy Hash: 1962c3d4fb40b8be99efedbcc0b43e05d801a0b69fe6eb8e43eb8b8166c4a5cb
                                                • Instruction Fuzzy Hash: 9451C6B12443147AE314BB78DD91E7F379CDB80749F000E2AF546D21A1EFA47D4886AB
                                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                • RtlExitUserThread.KERNEL32(00000000), ref: 004018F6
                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                • String ID: PkG$XMG$NG$NG
                                                • API String ID: 1265842484-3151166067
                                                • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                Function 04821AD1 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 04821B25
                                                • RtlExitUserThread.NTDLL(00000000), ref: 04821B5D
                                                • waveInUnprepareHeader.WINMM(00001E40,00000020,00000000,?,00000020,00474EE0,00000000), ref: 04821C6B
                                                  • Part of subcall function 04854A68: __onexit.LIBCMT ref: 04854A6E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                • String ID: PkG$XMG$NG$NG
                                                • API String ID: 1265842484-3151166067
                                                • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                • Instruction ID: b2548fa983c54f29e1482ab5bfcba6cb1aa49fd8f020a7353bd4d04b9b31bef4
                                                • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                • Instruction Fuzzy Hash: 224180311042609BE324FB2CEE94AAE73A6EB95314F504E29E449D61A0EFB179C9C717
                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                • String ID: .part
                                                • API String ID: 1303771098-3499674018
                                                • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                Function 04837F7D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 048381CE: __EH_prolog.LIBCMT ref: 048381D3
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 0483807E
                                                • CloseHandle.KERNEL32(00000000), ref: 04838087
                                                • DeleteFileA.KERNEL32(00000000), ref: 04838096
                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0483804A
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                • String ID: 0VG$<$@
                                                • API String ID: 1704390241-2149486900
                                                • Opcode ID: 78c680d819ea39830a1d05ad0b7372c8751083bbb383b8a91c29e46b5f4c9c74
                                                • Instruction ID: eb24f8ab5cd1ff48d2ad459f74aae24b6ffd22b7ce07085e5501da79ca9e5693
                                                • Opcode Fuzzy Hash: 78c680d819ea39830a1d05ad0b7372c8751083bbb383b8a91c29e46b5f4c9c74
                                                • Instruction Fuzzy Hash: 793196319001299BEB04FB64DD51AEDB774EF10309F404B68F506A60E4EFB52EC5CB92
                                                Function 0482A55A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0482A575
                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0482A583
                                                • GetLastError.KERNEL32 ref: 0482A58F
                                                  • Part of subcall function 0483B7E7: GetLocalTime.KERNEL32(00000000), ref: 0483B801
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0482A5DD
                                                • TranslateMessage.USER32(?), ref: 0482A5EC
                                                • DispatchMessageA.USER32(?), ref: 0482A5F7
                                                Strings
                                                • Keylogger initialization failure: error , xrefs: 0482A5A3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                • String ID: Keylogger initialization failure: error
                                                • API String ID: 3219506041-952744263
                                                • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                • Instruction ID: 456bc91578c4815880b25a2998a312bdca5e425d1e399312cc67505e6f620d3a
                                                • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                • Instruction Fuzzy Hash: FB119D71500211EBC710BBB99E0886B76ECEF85612B400A79F842C2190EF70E940C6A6
                                                Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$Window$AllocOutputShow
                                                • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                • API String ID: 4067487056-2212855755
                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendInput.USER32 ref: 00419A25
                                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InputSend$Virtual
                                                • String ID:
                                                • API String ID: 1167301434-0
                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16_free
                                                • String ID: a/p$am/pm$h{D
                                                • API String ID: 2936374016-2303565833
                                                • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                Function 0487406A Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(?,?), ref: 04874116
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 04874199
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0487422C
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 04874243
                                                  • Part of subcall function 0486641F: RtlAllocateHeap.NTDLL(00000000,048555B0,?), ref: 04866451
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 048742BF
                                                • __freea.LIBCMT ref: 048742EA
                                                • __freea.LIBCMT ref: 048742F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                • String ID:
                                                • API String ID: 2829977744-0
                                                • Opcode ID: 7957f9ddf7da7bce7cfd6e1da178ceed675a0adcde0f2090512f6258e8543b2b
                                                • Instruction ID: f120dcfd5251c1484509a2ebea30f41b8bea0be5e7b6138e3d6b6ed1c9461ffc
                                                • Opcode Fuzzy Hash: 7957f9ddf7da7bce7cfd6e1da178ceed675a0adcde0f2090512f6258e8543b2b
                                                • Instruction Fuzzy Hash: 2A91C471E10226ABDB219EA4CC60AEEBBB5EF09B54F044B29ED15E7151E735E840CB60
                                                Function 04834BAC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: udp
                                                • API String ID: 0-4243565622
                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                • Instruction ID: 64ee1e782b408150646f7199046d76804f3c4e75b6adf42f07064f1924f9413a
                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                • Instruction Fuzzy Hash: DC718C30A083069FDB249F14C54462ABBE0EF89B56F144F2EF885C7261E7B4E945CBD2
                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                • _free.LIBCMT ref: 00444E87
                                                • _free.LIBCMT ref: 00444E9E
                                                • _free.LIBCMT ref: 00444EBD
                                                • _free.LIBCMT ref: 00444ED8
                                                • _free.LIBCMT ref: 00444EEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$AllocateHeap
                                                • String ID: KED
                                                • API String ID: 3033488037-2133951994
                                                • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Enum$InfoQueryValue
                                                • String ID: [regsplt]$xUG$TG
                                                • API String ID: 3554306468-1165877943
                                                • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                Function 0482DAA1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04832AF2: TerminateProcess.KERNEL32(00000000,?,0482DAB1), ref: 04832B02
                                                  • Part of subcall function 04832AF2: WaitForSingleObject.KERNEL32(000000FF,?,0482DAB1), ref: 04832B15
                                                  • Part of subcall function 0483399A: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 048339B6
                                                  • Part of subcall function 0483399A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 048339CF
                                                  • Part of subcall function 0483399A: RegCloseKey.ADVAPI32(?), ref: 048339DA
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0482DAFB
                                                • ShellExecuteW.SHELL32(00000000,00466118,00000000,00466478,00466478,00000000), ref: 0482DC5A
                                                • ExitProcess.KERNEL32 ref: 0482DC66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                • String ID: 8SG$exepath$xdF
                                                • API String ID: 1913171305-3578471011
                                                • Opcode ID: 42ab35d1de50171d89691c1a4e51747da9b5414ad99897b439254141905a24e9
                                                • Instruction ID: 20adc3ab39a89e4f56e1e7d01f7bba4921375d62b3606b6be816ce2cb6e7830c
                                                • Opcode Fuzzy Hash: 42ab35d1de50171d89691c1a4e51747da9b5414ad99897b439254141905a24e9
                                                • Instruction Fuzzy Hash: 0E4198319101246BEB04FBA8DD50DFE7778AF50604F500BAAE506F3190EFA43EC6CA96
                                                Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumInfoOpenQuerysend
                                                • String ID: xUG$NG$NG$TG
                                                • API String ID: 3114080316-2811732169
                                                • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                • __freea.LIBCMT ref: 0045129D
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                • String ID: PkGNG
                                                • API String ID: 313313983-263838557
                                                • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                • API String ID: 3286818993-122982132
                                                • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                Function 04821F72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strftime.LIBCMT ref: 04821FB7
                                                  • Part of subcall function 04821CD4: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 04821D40
                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 04822069
                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 048220A7
                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 048220B6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                • String ID: dMG$|MG
                                                • API String ID: 3809562944-1683252805
                                                • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                • Instruction ID: 940d0dd117b99eca5d7609dec95763aa2cf42343e4fefbda9dd78ed2546ea6bb
                                                • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                • Instruction Fuzzy Hash: 663172315143109FE324EB68DE54E9E77A8EB94304F404E39E549D21A0EFB4BA89CF57
                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                  • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                • API String ID: 1133728706-4073444585
                                                • Opcode ID: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                • Opcode Fuzzy Hash: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                Function 04876E3A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                • Instruction ID: 38c94d6f214ffee3e3dad918b9dddb6366cc8e8991dbeeef088cc21a99ff39e9
                                                • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                • Instruction Fuzzy Hash: 4D11D872A05155BBDB51AF7ACC04D6F7A5CDFC6734B200F28F81AD6150FA71E84096B1
                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                • _free.LIBCMT ref: 00450FC8
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00450FD3
                                                • _free.LIBCMT ref: 00450FDE
                                                • _free.LIBCMT ref: 00451032
                                                • _free.LIBCMT ref: 0045103D
                                                • _free.LIBCMT ref: 00451048
                                                • _free.LIBCMT ref: 00451053
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                Function 048711E1 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04870F28: _free.LIBCMT ref: 04870F51
                                                • _free.LIBCMT ref: 0487122F
                                                  • Part of subcall function 04866A69: HeapFree.KERNEL32(00000000,00000000,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?), ref: 04866A7F
                                                  • Part of subcall function 04866A69: GetLastError.KERNEL32(?,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?,?), ref: 04866A91
                                                • _free.LIBCMT ref: 0487123A
                                                • _free.LIBCMT ref: 04871245
                                                • _free.LIBCMT ref: 04871299
                                                • _free.LIBCMT ref: 048712A4
                                                • _free.LIBCMT ref: 048712AF
                                                • _free.LIBCMT ref: 048712BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                • Instruction ID: 5e62f65df3c282bc214e95db5c55f2d5db12eda92d124f238c0104ee0e0b3630
                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                • Instruction Fuzzy Hash: 6D118171541B04BAEAA0FBB4DC05FCFB79C9F05704F408E18A69AE60D0DAA4F5964652
                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                • int.LIBCPMT ref: 004111BE
                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: (mG
                                                • API String ID: 2536120697-4059303827
                                                • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                Function 04831405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 04831412
                                                • int.LIBCPMT ref: 04831425
                                                  • Part of subcall function 0482E363: std::_Lockit::_Lockit.LIBCPMT ref: 0482E374
                                                  • Part of subcall function 0482E363: std::_Lockit::~_Lockit.LIBCPMT ref: 0482E38E
                                                • std::_Facet_Register.LIBCPMT ref: 04831465
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0483146E
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0483148C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: (mG
                                                • API String ID: 2536120697-4059303827
                                                • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                • Instruction ID: f07a446cd87925dd68d32830ae654742f4d192cbb1e286e47c71ad8859f0b6de
                                                • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                • Instruction Fuzzy Hash: CF110A32A00524A7DB14EFACD8448DDB7B9DF40715B104B56EC04E7290DBB0BE41CBC6
                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                Function 0485A641 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,0485A638,048595A5), ref: 0485A64F
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0485A65D
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0485A676
                                                • SetLastError.KERNEL32(00000000,?,0485A638,048595A5), ref: 0485A6C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                • Instruction ID: 990a690a0e169093cb7e6a37d2307e98567e4e196d4b60776d522ec6c9679aa1
                                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                • Instruction Fuzzy Hash: 8801D832219352ADBB18377DBCE456626C9EB016B97200B39EA19C15F0FF95A8805145
                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\E84Ddy7gSh.exe), ref: 0040760B
                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                • CoUninitialize.OLE32 ref: 00407664
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeObjectUninitialize_wcslen
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                • API String ID: 3851391207-1217803666
                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                Strings
                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                • UserProfile, xrefs: 0040BAE8
                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                • API String ID: 2018770650-304995407
                                                • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                Function 0483D755 Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0483D76E
                                                  • Part of subcall function 0483D807: RegisterClassExA.USER32(00000030), ref: 0483D853
                                                  • Part of subcall function 0483D807: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0483D86E
                                                  • Part of subcall function 0483D807: GetLastError.KERNEL32 ref: 0483D878
                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0483D7A5
                                                • lstrcpyn.KERNEL32(00474B60,0046CF44,00000080), ref: 0483D7BF
                                                • Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0483D7D5
                                                • TranslateMessage.USER32(?), ref: 0483D7E1
                                                • DispatchMessageA.USER32(?), ref: 0483D7EB
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0483D7F8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                • String ID:
                                                • API String ID: 1970332568-0
                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                • Instruction ID: 05ff6766620b690ad76fdeffbd626fcae4251b53c0b294af35e96e691e7d62c7
                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                • Instruction Fuzzy Hash: 01015E71800348EBD7109FA5EC4CFAABBBCEB85706F004169F615D30A1D7B8E845CB98
                                                Function 04827502 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe$Rmc-D7NPY6$xdF
                                                • API String ID: 0-3437514693
                                                • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                • Instruction ID: 23b6613f44cc74588e4df5de459b614f9c1c82ebe0666fa761e1ffeeaa1ed7e6
                                                • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                • Instruction Fuzzy Hash: D0F08BB0600730EBEB013B355F087793646D741346F004F71E94ADE2A2EBD858C18309
                                                Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                • API String ID: 4061214504-213444651
                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                • __allrem.LIBCMT ref: 0043ACE9
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                • __allrem.LIBCMT ref: 0043AD1C
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                • __allrem.LIBCMT ref: 0043AD51
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 1992179935-0
                                                • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                Function 0485ADC3 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                • __allrem.LIBCMT ref: 0485AF50
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0485AF6C
                                                • __allrem.LIBCMT ref: 0485AF83
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0485AFA1
                                                • __allrem.LIBCMT ref: 0485AFB8
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0485AFD6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 1992179935-0
                                                • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                • Instruction ID: da7bcc887bec1d20db19b5987854aaa8dc43a8ede4a4defa4e69271fba2f7248
                                                • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                • Instruction Fuzzy Hash: A981DD76A00706ABF728AE6DCC80B5A73A8AF40728F144F2AED51D7690E7B4F9408751
                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prologSleep
                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                • API String ID: 3469354165-3054508432
                                                • Opcode ID: 0792e633713601335f83ff97fb71c1f1c938e59583b2bee902670a87db96b457
                                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                • Opcode Fuzzy Hash: 0792e633713601335f83ff97fb71c1f1c938e59583b2bee902670a87db96b457
                                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                • RtlAllocateHeap.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                                                • String ID:
                                                • API String ID: 2227336758-0
                                                • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                Function 048245D8 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000,?), ref: 0482472B
                                                  • Part of subcall function 0482486E: __EH_prolog.LIBCMT ref: 04824873
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prologSleep
                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                • API String ID: 3469354165-3054508432
                                                • Opcode ID: 492085be5e5afa04f3b0ed8f778f66d71a1b6d1d42094c5c2204b2a4f3ed0bf8
                                                • Instruction ID: 62efa441310229892242e07b6e9b37e1179ffc2cca539ceeb89d7070adfbe460
                                                • Opcode Fuzzy Hash: 492085be5e5afa04f3b0ed8f778f66d71a1b6d1d42094c5c2204b2a4f3ed0bf8
                                                • Instruction Fuzzy Hash: FB51FA316002349BEA14FB7C9B54A6D37959B81B18F000F69E809D7690EFE4BAC5C7A7
                                                Function 04831FA0 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04831A3E: SetLastError.KERNEL32(0000000D,04831FBE,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,04831F9C), ref: 04831A44
                                                • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,04831F9C), ref: 04831FD9
                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,04831F9C), ref: 04832047
                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 0483206B
                                                  • Part of subcall function 04831F45: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,04832089,?,00000000,00003000,00000040,00000000,?,00000000), ref: 04831F55
                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 048320B2
                                                • RtlAllocateHeap.NTDLL(00000000), ref: 048320B9
                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 048321CC
                                                  • Part of subcall function 04832319: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,048321D9,?,?,?,?,00000000), ref: 04832389
                                                  • Part of subcall function 04832319: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04832390
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
                                                • String ID:
                                                • API String ID: 2227336758-0
                                                • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                • Instruction ID: 902f6e2c37520ae6801e4df7d3034fbbefd2bfd50c8f8870b9b1d8e23861a10f
                                                • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                • Instruction Fuzzy Hash: 5961D370700205ABD710AF69CD84B7A7AA5BF44B06F044B69FE05C7681EBB4F895CBD1
                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __cftoe
                                                • String ID:
                                                • API String ID: 4189289331-0
                                                • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                Function 04865BE1 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __cftoe
                                                • String ID:
                                                • API String ID: 4189289331-0
                                                • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                • Instruction ID: d356b65d79c5b8711bd31093ba15f782346d7f4a972080f54c8ab3d57c54c91f
                                                • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                • Instruction Fuzzy Hash: 56513B32900205BBEBA09F6CEC84EAE77E8EF48724F144B29E817D61D1EB71F5408765
                                                Function 0482A682 Relevance: 9.1, APIs: 6, Instructions: 112keyboardthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 0482A6B8
                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0482A6C4
                                                • GetKeyboardLayout.USER32(00000000), ref: 0482A6CB
                                                • GetKeyState.USER32(00000010), ref: 0482A6D5
                                                • GetKeyboardState.USER32(?), ref: 0482A6E0
                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0482A79C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                • String ID:
                                                • API String ID: 3566172867-0
                                                • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                • Instruction ID: 2de104dfd012fd50500e876c1e77464028c0004b9a45678e33345a396d30e579
                                                • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                • Instruction Fuzzy Hash: 96315F72544318FFD710DF94DC44F9B7BECAB88745F00092AB645C61A0E7B1F9888B96
                                                Function 04827C05 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 04827C67
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 04827CAF
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                • CloseHandle.KERNEL32(00000000), ref: 04827CEF
                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 04827D0C
                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 04827D37
                                                • DeleteFileW.KERNEL32(00000000), ref: 04827D47
                                                  • Part of subcall function 04824DFD: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,04824EB0,00000000,00000000,00000000,?,00474EF8,?), ref: 04824E0C
                                                  • Part of subcall function 04824DFD: SetEvent.KERNEL32(00000000), ref: 04824E2A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                • String ID:
                                                • API String ID: 1303771098-0
                                                • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                • Instruction ID: 984a268c26f60400b0f9b6738f176966ff78bd7e47bd5078c960a5cf49537de7
                                                • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                • Instruction Fuzzy Hash: 00319171504360AFD310EF64D954DAFB3A8FF94205F404E2EF985E2150DBB4BA88CBA6
                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                • String ID:
                                                • API String ID: 493672254-0
                                                • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                Function 0483AE05 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 0483AE14
                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 0483AE2B
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0483AE38
                                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 0483AE47
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Open$CloseControlHandleManager
                                                • String ID:
                                                • API String ID: 1243734080-0
                                                • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                • Instruction ID: 14a751272eca9cddb52efb5008cc065fa36984497820aca32ea37471b6a511a4
                                                • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                • Instruction Fuzzy Hash: DB11E53190031CAF9B216F64DC88DFF3B6CDB45A66B000925F945E2091DB68AD45AAF5
                                                Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID: PkGNG
                                                • API String ID: 1036877536-263838557
                                                • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                • _free.LIBCMT ref: 004482CC
                                                • _free.LIBCMT ref: 004482F4
                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                • _abort.LIBCMT ref: 00448313
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                Function 048684FC Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,0485F9D7,0485AADC,0485F9D7,00474EF8,PkGNG,0485D0CC,FF8BC35D,00474EF8,00474EF8), ref: 04868500
                                                • _free.LIBCMT ref: 04868533
                                                • _free.LIBCMT ref: 0486855B
                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868568
                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 04868574
                                                • _abort.LIBCMT ref: 0486857A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                • Instruction ID: 0d31abf32c9133dbd92f6e2fd6fa5946f50a6c632378c542274cc64e8226871e
                                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                • Instruction Fuzzy Hash: 0DF0D6351027006BD791773CBD0CF5A251A9FC167AF244F25F90ED21D0FEA0AA828156
                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                Function 04833CF7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 04833D5E
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 04833D8D
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 04833E2D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Enum$InfoQueryValue
                                                • String ID: xUG$TG
                                                • API String ID: 3554306468-3109661684
                                                • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                • Instruction ID: 7376fcbfca1c60e3ef4a926e0972dcc80a53eadaf931ae44e7a7499e09503f01
                                                • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                • Instruction Fuzzy Hash: D1514371900129AAEB01EBD4DD84EEEB77DFF14304F500A66E505E6154EFB47B48CBA1
                                                Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: @^E
                                                • API String ID: 269201875-2908066071
                                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                Function 04862AB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                • Instruction ID: 96ec8fb0ba12b41de2dfee894905201bb29b20e82c760d277f6787b714d464be
                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                • Instruction Fuzzy Hash: F4410D71A00704EFE724EF7CCC40B6A77E8EB88715F104BAAE556DB280D6B5B541CB81
                                                Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                                                • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                • String ID: PkGNG
                                                • API String ID: 3360349984-263838557
                                                • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                Function 04824F2A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 0482501A
                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 0482502E
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04825039
                                                • CloseHandle.KERNEL32(00000000), ref: 04825042
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                • String ID: PkGNG
                                                • API String ID: 3360349984-263838557
                                                • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                • Instruction ID: 301c3d6f3d2a8082159d4fb58e8a415e667fbf1919375063fbf5dd5ecbec0436
                                                • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                • Instruction Fuzzy Hash: 4141B171204350AFDB14FF28CE54DBFB7E9EF94614F040E1DF482D21A0EA61B9488A62
                                                Function 04871413 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 04871460
                                                • MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 048714E9
                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 048714FB
                                                • __freea.LIBCMT ref: 04871504
                                                  • Part of subcall function 0486641F: RtlAllocateHeap.NTDLL(00000000,048555B0,?), ref: 04866451
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                • String ID: PkGNG
                                                • API String ID: 2652629310-263838557
                                                • Opcode ID: 29fbf7857a96745c538d0cac7db2b43cff4be5d8612efa81122893b79f6f153c
                                                • Instruction ID: 59bdaf0edb07bbb34da61a63973fc1a254417bd04da1550ad8de6c7397f4d0be
                                                • Opcode Fuzzy Hash: 29fbf7857a96745c538d0cac7db2b43cff4be5d8612efa81122893b79f6f153c
                                                • Instruction Fuzzy Hash: 2431B272A0020AAFDF25DF64DC54DAE7BA5EF40714F044A68EC15D72A0E735E950CBA0
                                                Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                • wsprintfW.USER32 ref: 0040B22E
                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventLocalTimewsprintf
                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                • API String ID: 1497725170-248792730
                                                • Opcode ID: 3d679cc2849754fb2f4fa39d800a84baf68540eafbaed469cb563a02f79558db
                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                • Opcode Fuzzy Hash: 3d679cc2849754fb2f4fa39d800a84baf68540eafbaed469cb563a02f79558db
                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleSizeSleep
                                                • String ID: XQG
                                                • API String ID: 1958988193-3606453820
                                                • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                Function 0482A917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0482A9EF), ref: 0482A94D
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0482A9EF), ref: 0482A95C
                                                • Sleep.KERNEL32(00002710,?,?,?,0482A9EF), ref: 0482A989
                                                • CloseHandle.KERNEL32(00000000,?,?,?,0482A9EF), ref: 0482A990
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleSizeSleep
                                                • String ID: XQG
                                                • API String ID: 1958988193-3606453820
                                                • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                • Instruction ID: 12b1a58acbc88571cf4526530747cb8c973572ebc8223d4486cb5f5fe3c7c779
                                                • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                • Instruction Fuzzy Hash: 73112B30600B70BEE7379BA99A8873E7B9AEF45206F410E28E195CA591C69478C08319
                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                • GetLastError.KERNEL32 ref: 0041D611
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                • String ID: 0$MsgWindowClass
                                                • API String ID: 2877667751-2410386613
                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                Function 0483D807 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegisterClassExA.USER32(00000030), ref: 0483D853
                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0483D86E
                                                • GetLastError.KERNEL32 ref: 0483D878
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                • String ID: 0$MsgWindowClass
                                                • API String ID: 2877667751-2410386613
                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                • Instruction ID: 6508d898657889c7c86c20dd3f84256e895894ea0b9c8bec1764aa239732552c
                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                • Instruction Fuzzy Hash: B80125B1D0021DABDB00EFE5DC84DEFBBBCEB05255F00493AF904A6240E77499058AA0
                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                Strings
                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreateProcess
                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                • API String ID: 2922976086-4183131282
                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                • C:\Users\user\Desktop\E84Ddy7gSh.exe, xrefs: 004076FF
                                                • Rmc-D7NPY6, xrefs: 00407715
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe$Rmc-D7NPY6
                                                • API String ID: 0-3316252658
                                                • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                • SetEvent.KERNEL32(?), ref: 0040512C
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                • CloseHandle.KERNEL32(?), ref: 00405140
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                • String ID: KeepAlive | Disabled
                                                • API String ID: 2993684571-305739064
                                                • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                • String ID: Alarm triggered
                                                • API String ID: 614609389-2816303416
                                                • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                Strings
                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                • API String ID: 3024135584-2418719853
                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                Function 04861651 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                • Instruction ID: 24446b8fc9f2c6b799c78896ee6f9c178f215a582e8d15734b3a039d92f9eefb
                                                • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                • Instruction Fuzzy Hash: FC71D631D00216DBDB61CF54C888ABFBBB6FF45364F144B29E81AE7152DB70A841D7A1
                                                Function 04864FE3 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$AllocateHeap
                                                • String ID:
                                                • API String ID: 3033488037-0
                                                • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                • Instruction ID: 87d5f979acb7f18a4e232833ee744045f8da99aa1647f8dd820c31f6f97b9ad2
                                                • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                • Instruction Fuzzy Hash: 1151D131A00204BFEB60DF69EC41A6A77F4EF49729B144A6DE80ADB250E731F941CB81
                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                  • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 2180151492-0
                                                • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                Function 0482FB9F Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0483C2AF: GetCurrentProcess.KERNEL32(00000003,?,?,0483B5C9,00000000,004750E4,00000003,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0483C2C0
                                                  • Part of subcall function 0483C2AF: IsWow64Process.KERNEL32(00000000,?,?,0483B5C9,00000000,004750E4,00000003,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0483C2C7
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0482FBBD
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0482FBE1
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0482FBF0
                                                • CloseHandle.KERNEL32(00000000), ref: 0482FDA7
                                                  • Part of subcall function 0483C2DD: OpenProcess.KERNEL32(00000400,00000000), ref: 0483C2F2
                                                  • Part of subcall function 0483C2DD: IsWow64Process.KERNEL32(00000000,?), ref: 0483C2FD
                                                  • Part of subcall function 0483C4D5: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0483C4ED
                                                  • Part of subcall function 0483C4D5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0483C500
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0482FD98
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 2180151492-0
                                                • Opcode ID: 90e78233c67fe500e7c897fb9588ef7a3a1ac601b612ffb3a5c256a9fbc119f7
                                                • Instruction ID: 3dcce1272b0f676ce1a5876802da233dfbb1977b08cf6fe95b7d1a9cfe55854c
                                                • Opcode Fuzzy Hash: 90e78233c67fe500e7c897fb9588ef7a3a1ac601b612ffb3a5c256a9fbc119f7
                                                • Instruction Fuzzy Hash: 4B4143311082549BD325FB28DE50AEFB3A8AFA4344F404E2DE549D2194EF70BA49C657
                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                Function 04864100 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                • Instruction ID: 9dbd9d30a686f865324feb9cb99fc261c549161487a116b77c165d181e374805
                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                • Instruction Fuzzy Hash: 06410236A00214AFDB10DFBCC880A5EB7F5EF85B14F118AA9D916EB350E731B941CB84
                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                • _free.LIBCMT ref: 0044F43F
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                Function 0486F641 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 0486F64A
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0486F66D
                                                  • Part of subcall function 0486641F: RtlAllocateHeap.NTDLL(00000000,048555B0,?), ref: 04866451
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0486F693
                                                • _free.LIBCMT ref: 0486F6A6
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0486F6B5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                • Instruction ID: cf158b0477499106b11782d198a8cbd841a59102c452ae40b94a86583d7dd014
                                                • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                • Instruction Fuzzy Hash: A801D472601715BFB76116BAAC8CC7B7A6DDECAEA53150629FF06C2110EEA0DC0182B4
                                                Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                • String ID:
                                                • API String ID: 1852769593-0
                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                Function 0483C6E9 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0483C808,00000000,00000000,?), ref: 0483C728
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0483C808,00000000,00000000,?,?,0482AB89), ref: 0483C745
                                                • CloseHandle.KERNEL32(00000000,?,00000000,0483C808,00000000,00000000,?,?,0482AB89), ref: 0483C751
                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0483C808,00000000,00000000,?,?,0482AB89), ref: 0483C762
                                                • CloseHandle.KERNEL32(00000000,?,00000000,0483C808,00000000,00000000,?,?,0482AB89), ref: 0483C76F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                • String ID:
                                                • API String ID: 1852769593-0
                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                • Instruction ID: f445a34e3659b6e2d6da26d7188f56ea8a0b2007aef3359ec76236f899fedfd0
                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                • Instruction Fuzzy Hash: 4411A172205215BFEB104E28AC88E7B739CEB4B267F004B29FA52E21D1D761AC0596F5
                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                • _free.LIBCMT ref: 00448353
                                                • _free.LIBCMT ref: 0044837A
                                                • SetLastError.KERNEL32(00000000), ref: 00448387
                                                • SetLastError.KERNEL32(00000000), ref: 00448390
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                Function 04868580 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,?,0485BF3D,00000000,?,?,0485BFC1,00000000,00000000,00000000,00000000,00000000,?,?), ref: 04868585
                                                • _free.LIBCMT ref: 048685BA
                                                • _free.LIBCMT ref: 048685E1
                                                • SetLastError.KERNEL32(00000000), ref: 048685EE
                                                • SetLastError.KERNEL32(00000000), ref: 048685F7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                • Instruction ID: 1c754b5fb6db76750327a1ea7d3be8ae25c408bac8710241145f620f9ecab3a3
                                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                • Instruction Fuzzy Hash: 4E01F9362027017BA3527B6CAC4CE1B225BDBC167A7240F39FD0FE2190FEA4EA418559
                                                Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                • String ID:
                                                • API String ID: 2951400881-0
                                                • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                Function 0483C4D5 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0483C4ED
                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0483C500
                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0483C520
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0483C52B
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0483C533
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                • String ID:
                                                • API String ID: 2951400881-0
                                                • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                • Instruction ID: d8f25d343bd5a3af9f2f90adc8c68813ab66450b41f5eef800ed41d84c52111e
                                                • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                • Instruction Fuzzy Hash: DA01FE73300315ABEB1057589C4DF77767CDB44697F000665F944E21D1FFA0AE4145B5
                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00450A54
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00450A66
                                                • _free.LIBCMT ref: 00450A78
                                                • _free.LIBCMT ref: 00450A8A
                                                • _free.LIBCMT ref: 00450A9C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                Function 04870CA3 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 04870CBB
                                                  • Part of subcall function 04866A69: HeapFree.KERNEL32(00000000,00000000,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?), ref: 04866A7F
                                                  • Part of subcall function 04866A69: GetLastError.KERNEL32(?,?,04870F56,?,00000000,?,00000000,?,048711FA,?,00000007,?,?,04871745,?,?), ref: 04866A91
                                                • _free.LIBCMT ref: 04870CCD
                                                • _free.LIBCMT ref: 04870CDF
                                                • _free.LIBCMT ref: 04870CF1
                                                • _free.LIBCMT ref: 04870D03
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                • Instruction ID: 7457d3e8786fc2c68589f272d897d616bf425191b0da025ca3030e25809117f4
                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                • Instruction Fuzzy Hash: 06F09632515240AF8760DB9CFAD5C1A77D9EA45B107A48E0DF10DEB610DB70F8C08655
                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00444106
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00444118
                                                • _free.LIBCMT ref: 0044412B
                                                • _free.LIBCMT ref: 0044413C
                                                • _free.LIBCMT ref: 0044414D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                Function 0486BD1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: PkGNG
                                                • API String ID: 0-263838557
                                                • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                • Instruction ID: c8aa80b64331514ff2ca1e9af4a3ca2f33aa43ef48d829d8f3960f8557c66122
                                                • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                • Instruction Fuzzy Hash: 13519371E001299ADF51DFA8CC44FAE7BB8AF0531CF100E59E916EB1A1D770B541DBA2
                                                Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountEventTick
                                                • String ID: !D@$NG
                                                • API String ID: 180926312-2721294649
                                                • Opcode ID: e52fc7a95dc10006057367343353241763694e7611518825ed9a516dfd40078b
                                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                • Opcode Fuzzy Hash: e52fc7a95dc10006057367343353241763694e7611518825ed9a516dfd40078b
                                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                • String ID: XQG$NG$PG
                                                • API String ID: 1634807452-3565412412
                                                • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                Function 0482A145 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayoutNameA.USER32(?), ref: 0482A175
                                                  • Part of subcall function 04824B2F: connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 04824B47
                                                  • Part of subcall function 0483C80D: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,0482A1FD,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0483C822
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                • String ID: XQG$NG$PG
                                                • API String ID: 1634807452-3565412412
                                                • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                • Instruction ID: e2515ab72f79abd4abc51e14a585768eff134875ac8666804a3a982b5a2f49e2
                                                • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                • Instruction Fuzzy Hash: FC5166315082909BE329FB38EA50AEFB3D5EF94304F504E2DA44AD7194EFB47989C653
                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\E84Ddy7gSh.exe,00000104), ref: 00443515
                                                • _free.LIBCMT ref: 004435E0
                                                • _free.LIBCMT ref: 004435EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe
                                                • API String ID: 2506810119-1188050719
                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                Function 0486373C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\E84Ddy7gSh.exe,00000104), ref: 0486377C
                                                • _free.LIBCMT ref: 04863847
                                                • _free.LIBCMT ref: 04863851
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe
                                                • API String ID: 2506810119-1188050719
                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                • Instruction ID: fea82d0e9df22fff0409ce003a22475088c0dd348b3665f19a3bc01dc6a54294
                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                • Instruction Fuzzy Hash: D631A8B1A00248EFE761DF9DDD80D9EBBACDB85314F104566E80AD7210D7B0AA80D791
                                                Function 04837737 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,00466118,0046C7C0,00000000,00000000,00000000), ref: 04837797
                                                  • Part of subcall function 0483C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C796
                                                • Sleep.KERNEL32(00000064), ref: 048377C3
                                                • DeleteFileW.KERNEL32(00000000), ref: 048377F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                • String ID: /t
                                                • API String ID: 1462127192-3161277685
                                                • Opcode ID: f730c0b347a8ee613e59fb056768ff0538d175567b71a323561873fa5d1aa4eb
                                                • Instruction ID: d4868a73e931690f58ed83289e75be9e8c4b9a9df51a057a675f75333784eb68
                                                • Opcode Fuzzy Hash: f730c0b347a8ee613e59fb056768ff0538d175567b71a323561873fa5d1aa4eb
                                                • Instruction Fuzzy Hash: 8D317671900229ABEB04FBA8DD91DFD7734AF10609F404A65E505F3190EFA47ACACA96
                                                Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                • GetLastError.KERNEL32 ref: 0044B9B1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                • String ID: PkGNG
                                                • API String ID: 2456169464-263838557
                                                • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                Function 0486BB06 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0486BE65,?,00000000,FF8BC35D), ref: 0486BBB9
                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0486BBE7
                                                • GetLastError.KERNEL32 ref: 0486BC18
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                • String ID: PkGNG
                                                • API String ID: 2456169464-263838557
                                                • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                • Instruction ID: 32056256083724aab1d65c5c641fceaa48aeac29e035599719b4014912ce0204
                                                • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                • Instruction Fuzzy Hash: 63315E71A00219AFDB14CF59DC919EAB7B8EB08315F0449BDE90AD7250DA70BE80CF64
                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                • String ID: /sort "Visit Time" /stext "$0NG
                                                • API String ID: 368326130-3219657780
                                                • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00416330
                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                  • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wcslen$CloseCreateValue
                                                • String ID: !D@$okmode$PG
                                                • API String ID: 3411444782-3370592832
                                                • Opcode ID: 35fbf123078c83e442a4a08110d0a28feb217dd0509abb738719859e34f9bafd
                                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                • Opcode Fuzzy Hash: 35fbf123078c83e442a4a08110d0a28feb217dd0509abb738719859e34f9bafd
                                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                Strings
                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                • API String ID: 1174141254-1980882731
                                                • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                Strings
                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                • API String ID: 1174141254-1980882731
                                                • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTimewsprintf
                                                • String ID: Offline Keylogger Started
                                                • API String ID: 465354869-4114347211
                                                • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                Function 0482B406 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0482B414
                                                • wsprintfW.USER32 ref: 0482B495
                                                  • Part of subcall function 0482A8D8: SetEvent.KERNEL32(00000000,?,00000000,0482B4AC,00000000), ref: 0482A904
                                                Strings
                                                • [%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0482B41D
                                                • Offline Keylogger Started, xrefs: 0482B40D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventLocalTimewsprintf
                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
                                                • API String ID: 1497725170-184404310
                                                • Opcode ID: da05e807d6314d5b6d90eba55f19dcd7dbfb82d31573963669363ff37f469dbe
                                                • Instruction ID: bf1d4de64eeabf0124bf3bba428d5766a2a2ce16c904f0de210091fffdd48b17
                                                • Opcode Fuzzy Hash: da05e807d6314d5b6d90eba55f19dcd7dbfb82d31573963669363ff37f469dbe
                                                • Instruction Fuzzy Hash: 58115772500128B6DB08FB98DD54CFF77B8EE48615B00065AF502E6090EFB87AC5C6A5
                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTime$wsprintf
                                                • String ID: Online Keylogger Started
                                                • API String ID: 112202259-1258561607
                                                • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                Function 0482508D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(00000000), ref: 048250AA
                                                • CloseHandle.KERNEL32(00000000), ref: 048250B3
                                                • closesocket.WS2_32(FFFFFFFF), ref: 048250C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandleclosesocket
                                                • String ID: PkGNG
                                                • API String ID: 803913606-263838557
                                                • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                • Instruction ID: 7f149155ecdd1e54968047a831ce94ebdd93b05e167c8073432de0860da9bce0
                                                • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                • Instruction Fuzzy Hash: 2C214731084B14AFDB316F25DD49B26BBA2EF4132AF104F2CE5A251AF1CB61F851DB58
                                                Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                • API String ID: 481472006-3277280411
                                                • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$EventLocalThreadTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 2532271599-1507639952
                                                • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                Function 048251B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 048251E8
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04825234
                                                • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 04825247
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 048251FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$EventLocalThreadTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 2532271599-1507639952
                                                • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                • Instruction ID: 9f56a463303096c36a009d7b4ee4d164ae72db7e3b94875bd0863cf421981313
                                                • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                • Instruction Fuzzy Hash: 33110A31904394BBD720B77A8D0CAAB7FA8DBD2714F04095EE441D2151DAB4B484CBA2
                                                Function 0482779F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 048277C3
                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 04827824
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Object_wcslen
                                                • String ID: $${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                • API String ID: 240030777-2784132835
                                                • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                • Instruction ID: 2848e0261d701da45612c0836afed684b1fd71a3615e87932adeb6253b578ef4
                                                • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                • Instruction Fuzzy Hash: 16112C71900218ABD710E799C954EDFBBBCDB54714F210557ED04E3240E7B8AA84CAAB
                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: CryptUnprotectData$crypt32
                                                • API String ID: 2574300362-2380590389
                                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                                • SetCommState.KERNEL32 ref: 0044C316
                                                • __dosmaperr.LIBCMT ref: 0044C31D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CommFilePointerState__dosmaperr
                                                • String ID: PkGNG
                                                • API String ID: 1619704918-263838557
                                                • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                Function 0486C53A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0486C5E9,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0486C573
                                                • GetLastError.KERNEL32 ref: 0486C57D
                                                • __dosmaperr.LIBCMT ref: 0486C584
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFileLastPointer__dosmaperr
                                                • String ID: PkGNG
                                                • API String ID: 2336955059-263838557
                                                • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                • Instruction ID: 104c277bde2e6efa4e5c2e6b1c7170817ede7b2f08814897ddd62945a39a0213
                                                • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                • Instruction Fuzzy Hash: 34012D32610514ABCB05DF9DDC0885D3B2BEB85320B240759F866DB190FA71FD508791
                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandleObjectSingleWait
                                                • String ID: Connection Timeout
                                                • API String ID: 2055531096-499159329
                                                • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2005118841-1866435925
                                                • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FormatFreeLocalMessage
                                                • String ID: @J@$PkGNG
                                                • API String ID: 1427518018-1416487119
                                                • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                • String ID: bad locale name
                                                • API String ID: 3628047217-1405518554
                                                • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                Function 04833AB6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 04833AC1
                                                • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0482FAC5,pth_unenc,004752D8), ref: 04833AEF
                                                • RegCloseKey.ADVAPI32(004752D8,?,0482FAC5,pth_unenc,004752D8), ref: 04833AFA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: pth_unenc
                                                • API String ID: 1818849710-4028850238
                                                • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                • Instruction ID: f01167ec5876bb287943a7ec3f704c9afd7926d286f0a87892892212c201d2e2
                                                • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                • Instruction Fuzzy Hash: 73F06D72540228FBDF009FA4ED45EFE376CEB44A56F004AA4F905EA160EB71AF04DA90
                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: Control Panel\Desktop
                                                • API String ID: 1818849710-27424756
                                                • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                Function 04863641 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,0045D3BC,00000000,?,?,PkGNG,048635F2,00000003,PkGNG,04863592,00000003,0046E958,0000000C,048636E9,00000003,00000002), ref: 04863661
                                                • GetProcAddress.KERNEL32(00000000,0045D3D4), ref: 04863674
                                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,048635F2,00000003,PkGNG,04863592,00000003,0046E958,0000000C,048636E9,00000003,00000002,00000000,PkGNG), ref: 04863697
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: PkGNG
                                                • API String ID: 4061214504-263838557
                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                • Instruction ID: d10c49a187b466ba1822bfc10101eb311b9c2986903fde0bfc6830c512c2f575
                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                • Instruction Fuzzy Hash: BFF03131900308FBDB119FA5DC09B9DBBB5EF04712F0145A9FC05E62A1EB749D40DA99
                                                Function 04833A11 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 04833A20
                                                • RegSetValueExA.ADVAPI32(0046612C,0046CBC8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0483CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000), ref: 04833A48
                                                • RegCloseKey.ADVAPI32(0046612C,?,?,0483CDA9,0046CBC8,0046612C,00000001,00474EE0,00000000,?,048289FF,00000001), ref: 04833A53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: Control Panel\Desktop
                                                • API String ID: 1818849710-27424756
                                                • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                • Instruction ID: ac7e02a67dd51ea8f67220e88e5f4e376c3474ab5f18a9ca366f047d525cd920
                                                • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                • Instruction Fuzzy Hash: 55F09632540118FBDF009FA4ED44DEA776CEF04651F104B54BD09E6051EB71AF54DB90
                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                  • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                • String ID: !D@
                                                • API String ID: 186401046-604454484
                                                • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                Function 04836ECF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,0041D4EE,00000000,00000000,00000000), ref: 04836EE9
                                                • ShowWindow.USER32(00000009), ref: 04836F03
                                                • SetForegroundWindow.USER32 ref: 04836F0F
                                                  • Part of subcall function 0483D093: AllocConsole.KERNEL32 ref: 0483D09C
                                                  • Part of subcall function 0483D093: GetConsoleWindow.KERNEL32 ref: 0483D0A2
                                                  • Part of subcall function 0483D093: ShowWindow.USER32(00000000,00000000), ref: 0483D0B5
                                                  • Part of subcall function 0483D093: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0483D0DA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                • String ID: !D@
                                                • API String ID: 186401046-604454484
                                                • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                • Instruction ID: 3d7a910e288d35a2b0bb824ddb4640a85402f3930151dc2bd8ffedff5d6d20dd
                                                • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                • Instruction Fuzzy Hash: 1CF082B0144240EFE320FB78EE54ABA7758EB54306F404D76ED09C20B1EF71AC959A9A
                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: /C $cmd.exe$open
                                                • API String ID: 587946157-3896048727
                                                • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: GetCursorInfo$User32.dll
                                                • API String ID: 1646373207-2714051624
                                                • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetLastInputInfo$User32.dll
                                                • API String ID: 2574300362-1519888992
                                                • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                Function 0486A2EB Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                • Instruction ID: 6c0fc08bb4f4e133e7a0778c3cfa76c9e3f27076081aa1c63656a881bd1e8ee8
                                                • Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                • Instruction Fuzzy Hash: 35A17772A003869FE729CF5CC8907AEBBE5EF42314F144BADD986EB280D674B941C751
                                                Function 04876F01 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                • Instruction ID: 48ed6c0c0f636882e9c81274c2025ccd675d0d4578254bbeb519a3dbb399c750
                                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                • Instruction Fuzzy Hash: 8E411E31A006006BFB61BBFC8C54A6E3AA5EF46378F140F15F82DD6190FAB4F44096A3
                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                • API String ID: 3472027048-1236744412
                                                • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                Function 0483297D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0483399A: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 048339B6
                                                  • Part of subcall function 0483399A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 048339CF
                                                  • Part of subcall function 0483399A: RegCloseKey.ADVAPI32(?), ref: 048339DA
                                                • Sleep.KERNEL32(00000BB8), ref: 04832A1C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQuerySleepValue
                                                • String ID: 8SG$exepath$xdF
                                                • API String ID: 4119054056-3578471011
                                                • Opcode ID: 977866b65a9b04f8ae2c6d7eb0dc57cf2c81b09f37f839369ebea4010998f4e6
                                                • Instruction ID: 29560761fd55d1e410ea25307a028e873dc97867a0bda4e768eb203e4d6538ca
                                                • Opcode Fuzzy Hash: 977866b65a9b04f8ae2c6d7eb0dc57cf2c81b09f37f839369ebea4010998f4e6
                                                • Instruction Fuzzy Hash: A2213D81B0032427FA14B67C5D04E7F724DCB81319F404FB9A906DB2C2EEE5BD8582AB
                                                Function 04825706 Relevance: 6.1, APIs: 4, Instructions: 77windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 04825726
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 048257D6
                                                • TranslateMessage.USER32(?), ref: 048257E5
                                                • DispatchMessageA.USER32(?), ref: 048257F0
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 048258A8
                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 048258E0
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                • String ID:
                                                • API String ID: 2956720200-0
                                                • Opcode ID: 2cd85522589ee397d0502ceedecbb57e3328b3dadc5e25a82386769950989675
                                                • Instruction ID: f3261aa7521fd6c006dd320da230ead9ebfe3bce7cc19d0ceab8743b60669999
                                                • Opcode Fuzzy Hash: 2cd85522589ee397d0502ceedecbb57e3328b3dadc5e25a82386769950989675
                                                • Instruction Fuzzy Hash: E6218072544315ABDB10FBB8CE49C9E7BA8AF85704F400F68F912C31A5EB64E945CB53
                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$ForegroundLength
                                                • String ID: [ $ ]
                                                • API String ID: 3309952895-93608704
                                                • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                Function 0483AF70 Relevance: 6.1, APIs: 4, Instructions: 67serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0483AF80
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0483AF94
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0483AFA1
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0483AFD6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Open$ChangeCloseConfigHandleManager
                                                • String ID:
                                                • API String ID: 110783151-0
                                                • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                • Instruction ID: 511b790c32c902e98c65f3702bc0c39a03f5a64d0f196f35a17e3390b4d2cb0e
                                                • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                • Instruction Fuzzy Hash: E70168B1248228BAE6151F399C4DEBF3F6CDB42672F000B25FD61D21D1DA64EE4095E5
                                                Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SystemTimes$Sleep__aulldiv
                                                • String ID:
                                                • API String ID: 188215759-0
                                                • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                Function 0483BAF7 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SystemTimes$Sleep__aulldiv
                                                • String ID:
                                                • API String ID: 188215759-0
                                                • Opcode ID: cf9949316d284336a99c3e29d524757d388739d188393f984dc2d6745cc506f6
                                                • Instruction ID: acf0f65a94776f2eba0bbf3cd84c1a9530e41901f83247bc8a18811437bfe0d4
                                                • Opcode Fuzzy Hash: cf9949316d284336a99c3e29d524757d388739d188393f984dc2d6745cc506f6
                                                • Instruction Fuzzy Hash: 9D1160B2A043446FD304FAB8CC84DAB7BACEAC5259F044F39B546C2050FE64F60886A2
                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                Function 0486884D Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,048687F4,?,00000000,00000000,00000000,?,04868B20,00000006,0045A3E4), ref: 0486887F
                                                • GetLastError.KERNEL32(?,048687F4,?,00000000,00000000,00000000,?,04868B20,00000006,0045A3E4,0045F170,0045F178,00000000,00000364,?,048685CE), ref: 0486888B
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,048687F4,?,00000000,00000000,00000000,?,04868B20,00000006,0045A3E4,0045F170,0045F178,00000000), ref: 04868899
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                • Instruction ID: 59cd149d28db05cb264915abdd703fe5d6ba08bf8d84a217a52f9dff2ad072e0
                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                • Instruction Fuzzy Hash: 4E017132607326ABDB619F69AC44A567758AB45BE1B210E30F90ED7181D720E901D7E4
                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 3919263394-0
                                                • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                Function 0483C77D Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C796
                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C7AA
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C7CF
                                                • CloseHandle.KERNEL32(00000000,?,00000000,04824396,00465E84), ref: 0483C7DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 3919263394-0
                                                • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                • Instruction ID: 6299d0230259da25c66f1a7266360f178715894b3a64907180314ca02135761e
                                                • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                • Instruction Fuzzy Hash: 30F068B6241218BFE7101B24AD88EBB379CD7876AAF000B69FD01E21C1DB555D055575
                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                • String ID:
                                                • API String ID: 2633735394-0
                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                Function 0483D093 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocConsole.KERNEL32 ref: 0483D09C
                                                • GetConsoleWindow.KERNEL32 ref: 0483D0A2
                                                • ShowWindow.USER32(00000000,00000000), ref: 0483D0B5
                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0483D0DA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$Window$AllocOutputShow
                                                • String ID:
                                                • API String ID: 4067487056-0
                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                • Instruction ID: d0e488a4768f92b26fcdb5567102178d4716a608111ade3116c194dc1f1bd4af
                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                • Instruction Fuzzy Hash: 560184719C03046AE710F7F4DD4EF9D77AC9B04B05F500962BA05E70D1EBADB904865B
                                                Function 0483AD9E Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 0483ADAD
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 0483ADC1
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0483ADCE
                                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 0483ADDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Open$CloseControlHandleManager
                                                • String ID:
                                                • API String ID: 1243734080-0
                                                • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                • Instruction ID: b69ec895c8fb580a36821fcc0f46e65e048bd65c02278726060293d31dd15dd1
                                                • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                • Instruction Fuzzy Hash: 74F0F631500328BBD7116F649C48DFF3B6CDF85A52F000565FD05D2182DBA8ED4595F5
                                                Function 0483AEA2 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0483AEB1
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0483AEC5
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0483AED2
                                                • ControlService.ADVAPI32(00000000,00000002,?), ref: 0483AEE1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Open$CloseControlHandleManager
                                                • String ID:
                                                • API String ID: 1243734080-0
                                                • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                • Instruction ID: 73ab1e6b7d547c014f7761c73e47c2ed2829c0d541ef073bccc89d6edac514a5
                                                • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                • Instruction Fuzzy Hash: 87F0F631600228BBD7116F689C49DBF3B6CDB45A52F000965FE09E3181DB78ED4695F5
                                                Function 0483AF09 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 0483AF18
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0483AF2C
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0483AF39
                                                • ControlService.ADVAPI32(00000000,00000003,?), ref: 0483AF48
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Open$CloseControlHandleManager
                                                • String ID:
                                                • API String ID: 1243734080-0
                                                • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                • Instruction ID: 276a7d4037c788fb2672e92774114cd7670bd2be4822d09673cf334690a56532
                                                • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                • Instruction Fuzzy Hash: F4F0F671500228BBD7116F649C48DBF3B6CDB45A52F000565FE09E2181EB68EE4596F9
                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MetricsSystem
                                                • String ID:
                                                • API String ID: 4116985748-0
                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                Function 0483AD42 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0483A998,00000000), ref: 0483AD4B
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0483A998,00000000), ref: 0483AD60
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0483A998,00000000), ref: 0483AD6D
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0483A998,00000000), ref: 0483AD78
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Open$CloseHandleManagerStart
                                                • String ID:
                                                • API String ID: 2553746010-0
                                                • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                • Instruction ID: 3d4e53cc79b92ef6c9bbf2fa1e24b564a73fe720478495c6376b2052c428944b
                                                • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                • Instruction Fuzzy Hash: FDF0E971101324BFE2116F249C88DBF376CDF85A57B000C25F941D20909BA4ED45A5B5
                                                Function 0482534B Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 04825387
                                                • SetEvent.KERNEL32(?), ref: 04825393
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0482539E
                                                • CloseHandle.KERNEL32(?), ref: 048253A7
                                                  • Part of subcall function 0483B7E7: GetLocalTime.KERNEL32(00000000), ref: 0483B801
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                • String ID:
                                                • API String ID: 2993684571-0
                                                • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                • Instruction ID: 0d368e9d94dd6129c73393714c56314ff0b8e3e7522cbf82d2dd6fda8a0e5e18
                                                • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                • Instruction Fuzzy Hash: 11F0BBB1944320FFDB113B788E0E66B7F94EB06311F001E59F882C16B1D5A598809797
                                                Function 0483D050 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F5), ref: 0483D05A
                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0483D067
                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0483D074
                                                • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0483D087
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                • String ID:
                                                • API String ID: 3024135584-0
                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                • Instruction ID: d03f3af4b1405228fde75dbbded33ef9ce67f793f227fa2fc93fcf85e723130f
                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                • Instruction Fuzzy Hash: 5FE04872500715E7E31027B5EC4DCAB7B7CE785623B100665FA16815939A649C40C6B5
                                                Function 0483B7A0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(0046CA24,0000000A,00000000), ref: 0483B7B1
                                                • LoadResource.KERNEL32(00000000,?,?,0482F680,00000000), ref: 0483B7C5
                                                • LockResource.KERNEL32(00000000,?,?,0482F680,00000000), ref: 0483B7CC
                                                • SizeofResource.KERNEL32(00000000,?,?,0482F680,00000000), ref: 0483B7DB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID:
                                                • API String ID: 3473537107-0
                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                • Instruction ID: 819304b55f680c6362b39ccefb9c6251fe331f3530b486677ffe6016a3acdbb2
                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                • Instruction Fuzzy Hash: 13E01A76200B22EBEB211BA1AC8CD463E29FBC97637140075F90586231CB758840DA98
                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                • String ID:
                                                • API String ID: 1761009282-0
                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                Function 04859218 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 04859218
                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0485921D
                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 04859222
                                                  • Part of subcall function 0485A721: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0485A732
                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 04859237
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                • String ID:
                                                • API String ID: 1761009282-0
                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                • Instruction ID: bf0648453af88b5a37d3791aa297c1f373130db649f8fbf86adbb5cf4bf183ee
                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                • Instruction Fuzzy Hash: DDC04CD4008105D63E183EF871901AD23901D430CDB942FC0CDB2D75325B9A314FA433
                                                Function 0485B9F7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 4fbe68187eeb69d2e08e741ed5b0e3133476de9ed197204672df6993eaba3c16
                                                • Instruction ID: cb8573270ab4730b8146d4b54c5086cefd69d025496870322fbbd4759d0ea8e3
                                                • Opcode Fuzzy Hash: 4fbe68187eeb69d2e08e741ed5b0e3133476de9ed197204672df6993eaba3c16
                                                • Instruction Fuzzy Hash: C091E630D0514D9FDF21CE69C8406EDBBB1AF61324F148B5AEC71EB2B4E670BA418B56
                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorHandling__start
                                                • String ID: pow
                                                • API String ID: 3213639722-2276729525
                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                Function 04835E28 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 04835E28
                                                  • Part of subcall function 0483BDDE: GetLastInputInfo.USER32(?), ref: 0483BDEE
                                                  • Part of subcall function 0483BDDE: GetTickCount.KERNEL32 ref: 0483BDF4
                                                  • Part of subcall function 0483BD8E: GetForegroundWindow.USER32 ref: 0483BDB0
                                                  • Part of subcall function 0483BD8E: GetWindowTextW.USER32(00000000,?,00000100), ref: 0483BDC3
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                  • Part of subcall function 0482525B: GetLocalTime.KERNEL32(?), ref: 04825297
                                                  • Part of subcall function 0482525B: GetLocalTime.KERNEL32(?), ref: 048252EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountLocalTickTimeWindow$ForegroundInfoInputLastTextsend
                                                • String ID: !D@$,aF
                                                • API String ID: 1906814977-3317875915
                                                • Opcode ID: 319b8242092ea0ef6af02523541eb00e10968936954157d0741b60e40b9dba19
                                                • Instruction ID: 2ca25fc3a74cbed243624da1ea5ab856f753955c09a8f2bdb8f1a053eb25e8af
                                                • Opcode Fuzzy Hash: 319b8242092ea0ef6af02523541eb00e10968936954157d0741b60e40b9dba19
                                                • Instruction Fuzzy Hash: 7741A6712482509BE324F73CEA60AEFB3959FA0604F504F6DA846D7094FFB1B989C653
                                                Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                • GetLastError.KERNEL32 ref: 00449FAB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide
                                                • String ID: PkGNG
                                                • API String ID: 203985260-263838557
                                                • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                Function 048242B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 048242CD
                                                  • Part of subcall function 0483BC70: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,048242E3), ref: 0483BC97
                                                  • Part of subcall function 0483880A: CloseHandle.KERNEL32(0482435C,?,?,0482435C,00465E84), ref: 04838820
                                                  • Part of subcall function 0483880A: CloseHandle.KERNEL32(00465E84,?,?,0482435C,00465E84), ref: 04838829
                                                  • Part of subcall function 0483C77D: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,04824396,00465E84), ref: 0483C796
                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 0482439F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                • String ID: 0NG
                                                • API String ID: 368326130-1567132218
                                                • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                • Instruction ID: 84ea8b93c5278ee86345cd2679ce1398a304670c581bfa8ce7878859b05d86be
                                                • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                • Instruction Fuzzy Hash: 5631793191012856EB14F7BCDD55DEE7775AF90704F400AA5D506E7190EFA03EC6C692
                                                Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                  • Part of subcall function 00418691: 73492440.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                  • Part of subcall function 00418706: 734AEFB0.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                  • Part of subcall function 004186B4: 734B5080.GDIPLUS(?,00418BBD), ref: 004186BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateStream$73492440B5080
                                                • String ID: image/jpeg
                                                • API String ID: 1323946638-3785015651
                                                • Opcode ID: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                                                • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                • Opcode Fuzzy Hash: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                                                • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                Function 04838D34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 04838D60
                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 04838DAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateStream
                                                • String ID: image/jpeg
                                                • API String ID: 1369699375-3785015651
                                                • Opcode ID: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                                                • Instruction ID: 98ccf71f8127187949990cf0687b14f143c1fece08e352262418ec246c711d07
                                                • Opcode Fuzzy Hash: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                                                • Instruction Fuzzy Hash: 2A318D72504310AFD701EF68C884D7FBBE9EF8A704F000A5DF985D7211DBB5A9048BA2
                                                Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Init_thread_footer__onexit
                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                • API String ID: 1881088180-3686566968
                                                • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ACP$OCP
                                                • API String ID: 0-711371036
                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                Function 04871E1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 04871EF9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ACP$OCP
                                                • API String ID: 0-711371036
                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                • Instruction ID: 4cdcd850b81d3c0f8adf3956fb61083b402771db609d435b845f552093558855
                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                • Instruction Fuzzy Hash: D121C163F10105A6E7748F64C929BAB72AAAB44B65F464F60ED09D7B00FF32F940C350
                                                Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                                • GetLastError.KERNEL32 ref: 0044B884
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: PkGNG
                                                • API String ID: 442123175-263838557
                                                • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                Function 0486BA18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0486BE55,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0486BAC2
                                                • GetLastError.KERNEL32 ref: 0486BAEB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: PkGNG
                                                • API String ID: 442123175-263838557
                                                • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                • Instruction ID: 4ee46386ffda4bc96cc6e39b67dfe53f80bab591bc7c2d43ded30e6374d2e9a7
                                                • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                • Instruction Fuzzy Hash: 5E316171A01219DBCB24CF59DD809D9B3F5FF48305B108AAAE50AD7260E630B9C1CB54
                                                Function 04836586 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 04836597
                                                  • Part of subcall function 04833B19: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 04833B27
                                                  • Part of subcall function 04833B19: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0482C3F4,00466C58,00000001,000000AF,004660B4), ref: 04833B42
                                                  • Part of subcall function 04833B19: RegCloseKey.ADVAPI32(004660B4,?,?,?,0482C3F4,00466C58,00000001,000000AF,004660B4), ref: 04833B4D
                                                  • Part of subcall function 0482A086: _wcslen.LIBCMT ref: 0482A09F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wcslen$CloseCreateValue
                                                • String ID: !D@$PG
                                                • API String ID: 3411444782-1987221222
                                                • Opcode ID: 35fbf123078c83e442a4a08110d0a28feb217dd0509abb738719859e34f9bafd
                                                • Instruction ID: a2b079a162484dbe88cb2b838540382ed02b744717756c027adfbc5cc2c37376
                                                • Opcode Fuzzy Hash: 35fbf123078c83e442a4a08110d0a28feb217dd0509abb738719859e34f9bafd
                                                • Instruction Fuzzy Hash: 4E11D86074412157F608B73CA920A7D6286DF90308F808F7EE946CF1D1EEE67C80965B
                                                Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                                • GetLastError.KERNEL32 ref: 0044B796
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: PkGNG
                                                • API String ID: 442123175-263838557
                                                • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                Function 0486B939 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0486BE75,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0486B9D4
                                                • GetLastError.KERNEL32 ref: 0486B9FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: PkGNG
                                                • API String ID: 442123175-263838557
                                                • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                • Instruction ID: d6f2fb2c0dad59cc1eaaf2a1758b7db412a567693228b79f6983e90e1d161447
                                                • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                • Instruction Fuzzy Hash: AD2180356002199FCB15CF59C880AE9B3F9EB4831AF1049AAE94AD7251E770BD81CB20
                                                Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                  • Part of subcall function 00418691: 73492440.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                  • Part of subcall function 00418706: 734AEFB0.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                  • Part of subcall function 004186B4: 734B5080.GDIPLUS(?,00418BBD), ref: 004186BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateStream$73492440B5080
                                                • String ID: image/png
                                                • API String ID: 1323946638-2966254431
                                                • Opcode ID: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                                                • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                • Opcode Fuzzy Hash: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                                                • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                Function 04838E31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 04838E4C
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 04838E71
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateStream
                                                • String ID: image/png
                                                • API String ID: 1369699375-2966254431
                                                • Opcode ID: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                                                • Instruction ID: 11f0f0f252d6c0134662a949ee3c679219ccd53bf3332022ba4a1ec0a7766a7d
                                                • Opcode Fuzzy Hash: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                                                • Instruction Fuzzy Hash: 3F219371204210AFD701AB64CC84DBFBBEDEF8A655F100A1DF946D3211DBB5A945CBA3
                                                Function 0482486E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 04824873
                                                  • Part of subcall function 04824D08: send.WS2_32(?,00000000,00000000,00000000), ref: 04824D9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prologsend
                                                • String ID: o~E$NG
                                                • API String ID: 2679777229-4065726910
                                                • Opcode ID: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                • Instruction ID: 2ddaaed0f519cd8743fd19405da7f5a15d9ea951560b610da2eb9d4cc25e9f53
                                                • Opcode Fuzzy Hash: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                • Instruction Fuzzy Hash: D521DA32D001189BEB05FBB8EA51AFEB775EF50314F20466AE015E3190EFB52E95CB81
                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 481472006-1507639952
                                                • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                Function 0482525B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 04825297
                                                  • Part of subcall function 0483B7E7: GetLocalTime.KERNEL32(00000000), ref: 0483B801
                                                • GetLocalTime.KERNEL32(?), ref: 048252EE
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 04825286
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 481472006-1507639952
                                                • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                • Instruction ID: 303fa5f4d064326d716fe9469d38ffd02164eecbf677a96dc672329e5aad8946
                                                • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                • Instruction Fuzzy Hash: AA212961D00350ABE700F73CDE4876BBB54AB51218FC40E69D449CB165DAF9B5C887D7
                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32 ref: 0041667B
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadFileSleep
                                                • String ID: !D@
                                                • API String ID: 1931167962-604454484
                                                • Opcode ID: 092e42fcb9aaa0e887aa486cfc6f9746e7f9b69877162c24d85fe42e211bf098
                                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                • Opcode Fuzzy Hash: 092e42fcb9aaa0e887aa486cfc6f9746e7f9b69877162c24d85fe42e211bf098
                                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                Function 048368E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000064), ref: 048368E2
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 04836944
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadFileSleep
                                                • String ID: !D@
                                                • API String ID: 1931167962-604454484
                                                • Opcode ID: bef958293fe2008a3a79a038302e0b3da231204476f86616c0fe51d81de4655c
                                                • Instruction ID: 7b48d3a84089cc9ff312b19273bd8d764d8981aa77a7aec0d7a47b02d7761fa2
                                                • Opcode Fuzzy Hash: bef958293fe2008a3a79a038302e0b3da231204476f86616c0fe51d81de4655c
                                                • Instruction Fuzzy Hash: 17119171604321AAE714FF78DE9496E7398EF50208F400E6DE946D3191FEB1BD88C653
                                                Function 0483B7E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(00000000), ref: 0483B801
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: %02i:%02i:%02i:%03i $PkGNG
                                                • API String ID: 481472006-224355505
                                                • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                • Instruction ID: 9fe535ea72fbfb7ba3c216948ceeb4564414641f023973fca3aa962e473f0106
                                                • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                • Instruction Fuzzy Hash: C211937140825057D704FB68DA509BFB3E8AFA4208F500F6AF485C2094FF78FA84C657
                                                Function 04827852 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 04827872
                                                  • Part of subcall function 0482779F: _wcslen.LIBCMT ref: 048277C3
                                                  • Part of subcall function 0482779F: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 04827824
                                                • CoUninitialize.COMBASE ref: 048278CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeObjectUninitialize_wcslen
                                                • String ID: C:\Users\user\Desktop\E84Ddy7gSh.exe
                                                • API String ID: 3851391207-1188050719
                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                • Instruction ID: 5adab0f9e6a1a8792640d2dfb7ce499160690475b107cdcab35adcd1ebe5a92b
                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                • Instruction Fuzzy Hash: BF0184723053256BF3245B16DE0AF6B6748DB81729F210A2EF901C6181EB95BC4196BA
                                                Function 04835D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event
                                                • String ID: !D@$NG
                                                • API String ID: 4201588131-2721294649
                                                • Opcode ID: 8fc69762f1054fab49cdf09addf11f5569ef1803885e917715690b2ef544eb48
                                                • Instruction ID: 0dd1f97796dc333799db457dd516ee593378f90f5dbd4fec36d3d48a3b250809
                                                • Opcode Fuzzy Hash: 8fc69762f1054fab49cdf09addf11f5569ef1803885e917715690b2ef544eb48
                                                • Instruction Fuzzy Hash: 291104324042248BD220FB2CDC40AEEB3A4AB55324F404E6DE699C3090EF707959C793
                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: alarm.wav$hYG
                                                • API String ID: 1174141254-2782910960
                                                • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                • String ID: Online Keylogger Stopped
                                                • API String ID: 1623830855-1496645233
                                                • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                Function 0482B2F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0482B406: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0482B414
                                                  • Part of subcall function 0482B406: wsprintfW.USER32 ref: 0482B495
                                                  • Part of subcall function 0483B7E7: GetLocalTime.KERNEL32(00000000), ref: 0483B801
                                                • CloseHandle.KERNEL32(?), ref: 0482B356
                                                • UnhookWindowsHookEx.USER32 ref: 0482B369
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                • String ID: Online Keylogger Stopped
                                                • API String ID: 1623830855-1496645233
                                                • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                • Instruction ID: 6282fd339bf638e3def579624adabd5617b0d6a401b708c12c24209826109aff
                                                • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                • Instruction Fuzzy Hash: E701DD31600230EBD7157B2CCE0977EBBB19F42215F400E9DD48142195EBA6389597D7
                                                Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: String
                                                • String ID: LCMapStringEx$PkGNG
                                                • API String ID: 2568140703-1065776982
                                                • Opcode ID: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                                • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                • Opcode Fuzzy Hash: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                                • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • waveInPrepareHeader.WINMM(02D56A88,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                • waveInAddBuffer.WINMM(02D56A88,00000020,?,00000000,00401A15), ref: 0040185F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferHeaderPrepare
                                                • String ID: XMG
                                                • API String ID: 2315374483-813777761
                                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                Function 04821A53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • waveInPrepareHeader.WINMM(00474D94,00000020,00476BD4,00476BD4,00476B50,00474EE0,?,00000000,04821C7C), ref: 04821AB0
                                                • waveInAddBuffer.WINMM(00474D94,00000020,?,00000000,04821C7C), ref: 04821AC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferHeaderPrepare
                                                • String ID: XMG
                                                • API String ID: 2315374483-813777761
                                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                • Instruction ID: 680c87500293010c33de886914ba62973bbc62d93107ec89d7865ec12900fdb7
                                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                • Instruction Fuzzy Hash: 900186B1700315AFD7109F68ED44965BBE5FB892157014A39E509C3761DBB1AC90CB68
                                                Function 0483CDD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,04824CA7), ref: 0483CE01
                                                • LocalFree.KERNEL32(?,?), ref: 0483CE27
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FormatFreeLocalMessage
                                                • String ID: PkGNG
                                                • API String ID: 1427518018-263838557
                                                • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                • Instruction ID: 586cfb26b38fb414cc7077dc7c3d01aa6294d3c1c508df305f2f3b822f6336ce
                                                • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                • Instruction Fuzzy Hash: 17F02871B00119BBEF08B7A8ED09DFFB73CDB84205B00066AB506E20D0EEA17D0196A2
                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocaleValid
                                                • String ID: IsValidLocaleName$kKD
                                                • API String ID: 1901932003-3269126172
                                                • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                • API String ID: 1174141254-4188645398
                                                • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                • API String ID: 1174141254-2800177040
                                                • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                • API String ID: 1174141254-1629609700
                                                • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                Function 048220F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prolog
                                                • String ID: G~E$XMG
                                                • API String ID: 3519838083-1567329563
                                                • Opcode ID: a17f4d08dd56310e4990103567e1668ac71656cdff97641002e4e9c1f0465104
                                                • Instruction ID: 46ef48885791f01ea5a795d25bf9209786ba0890c7f420113da66f2e558d53f7
                                                • Opcode Fuzzy Hash: a17f4d08dd56310e4990103567e1668ac71656cdff97641002e4e9c1f0465104
                                                • Instruction Fuzzy Hash: 58F0E971A102349BE718AB5C991466EB365EF91724F1047EEE815E72A0CFB43D40C6A7
                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                • String ID: [AltL]$[AltR]
                                                • API String ID: 2738857842-2658077756
                                                • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Time$FileSystem
                                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                • API String ID: 2086374402-949981407
                                                • Opcode ID: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                                • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                • Opcode Fuzzy Hash: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                                • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: !D@$open
                                                • API String ID: 587946157-1586967515
                                                • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___initconout.LIBCMT ref: 004555DB
                                                  • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ConsoleCreateFileWrite___initconout
                                                • String ID: PkGNG
                                                • API String ID: 3087715906-263838557
                                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                Function 04875832 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___initconout.LIBCMT ref: 04875842
                                                  • Part of subcall function 04876E04: CreateFileW.KERNEL32(004654B8,40000000,00000003,00000000,00000003,00000000,00000000,04875847,00000000,PkGNG,0486B884,?,FF8BC35D,00000000,?,00000000), ref: 04876E17
                                                • WriteConsoleW.KERNEL32(004719B0,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0486B884,?,FF8BC35D,00000000,?,00000000,PkGNG,0486BE00,?), ref: 04875865
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ConsoleCreateFileWrite___initconout
                                                • String ID: PkGNG
                                                • API String ID: 3087715906-263838557
                                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                • Instruction ID: 7421b03d783e07554d535244a7630347bf6cfd797c012a52248a22e54c272315
                                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                • Instruction Fuzzy Hash: B3E06570500109B7DB10CF68DC65EAA3218EB01774F600F24F929C65D0EB74ED40D7A5
                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State
                                                • String ID: [CtrlL]$[CtrlR]
                                                • API String ID: 1649606143-2446555240
                                                • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Init_thread_footer__onexit
                                                • String ID: ,kG$0kG
                                                • API String ID: 1881088180-2015055088
                                                • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteOpenValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 2654517830-1051519024
                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                Function 04833CC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0482D770,00000000,?,00000000), ref: 04833CD3
                                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 04833CE7
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 04833CD1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteOpenValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 2654517830-1051519024
                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                • Instruction ID: b794bf3f9d204e2dd3f0aaa3672610c98c4f9a7e65652209d7a67e9acae7cc15
                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                • Instruction Fuzzy Hash: B4E0EC71644208FBDF104B61DD06FAA776CEB01F52F104AA4BA0692491D6229A25A6A4
                                                Function 0482EA41 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 04854A68: __onexit.LIBCMT ref: 04854A6E
                                                • __Init_thread_footer.LIBCMT ref: 048311CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Init_thread_footer__onexit
                                                • String ID: ,kG$0kG
                                                • API String ID: 1881088180-2015055088
                                                • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                • Instruction ID: 6e529223699986ef117ce8310e991d4d05ff6851cf02e78168a91c98e7dd6977
                                                • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                • Instruction Fuzzy Hash: E8E0D831504D208EE304A72C9944AD933DA9B0AB2A7229B2AD814D61E1CF9578808E9E
                                                Function 0482D30B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0482EEAA,0000000D,00000033,00000000,00000032,00000000,004673AC,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0482D31A
                                                • GetLastError.KERNEL32 ref: 0482D325
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorLastMutex
                                                • String ID: Rmc-D7NPY6
                                                • API String ID: 1925916568-926284066
                                                • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                • Instruction ID: 6399ee434f92a5aa0907b842e13f4f99484fece6bc46b06ff092ab91a82b4ed3
                                                • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                • Instruction Fuzzy Hash: 2FD01270645710EBEB186774AE49B583955D744702F408979B50FC99E1CBE48CC09915
                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                • GetLastError.KERNEL32 ref: 00440D85
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                Function 04860F48 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,04821FBC), ref: 04860FDE
                                                • GetLastError.KERNEL32 ref: 04860FEC
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 04861047
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: 088dcbec5a167405d9ff8429c0973f5051f6e46d219a09f8e04e9eefcf98d3af
                                                • Instruction ID: b9a6ec632709134b4f7cee7dc790897575b27e42f8df4345ad4eae30d1d4e096
                                                • Opcode Fuzzy Hash: 088dcbec5a167405d9ff8429c0973f5051f6e46d219a09f8e04e9eefcf98d3af
                                                • Instruction Fuzzy Hash: 4D412B30A002A6EFDF61EF68C848A7E77A5EF01311F144B59EC5AD71A2EB31A801D752
                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2313081255.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2313081255.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2313081255.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastRead
                                                • String ID:
                                                • API String ID: 4100373531-0
                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99
                                                Function 04831E01 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 04831E2E
                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 04831EFA
                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04831F1C
                                                • SetLastError.KERNEL32(0000007E,04832192), ref: 04831F33
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2314933519.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_4820000_E84Ddy7gSh.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastRead
                                                • String ID:
                                                • API String ID: 4100373531-0
                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                • Instruction ID: d10466adb735a340469ddd476be5dada6ed206fdcbb1e38c4e1dd3ba7487facd
                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                • Instruction Fuzzy Hash: 954138716083059FEB248F58DC88B66B7E4FB48B16F044E2DF946C6691EB71F904CB61